we are trying to run several instances of HAProxy (v1.7.3) behind a NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP feature so that the original IP of the client can be passed through HAProxy.
The haproxy.cfg listener looks like this:
listen weblistener bind *:80 accept-netscaler-cip 4711 tcp-request connection expect-netscaler-cip layer4 mode tcp option tcplog server s1 192.168.0.123:8000 check
The NetScaler sends the CIP Packet as specified here: https://support.citrix.com/article/CTX205670 and the Packet looks as expected after taking a tcpdump and viewing it with wireshark. But the analysis in HAProxy fails with ‘CO_ER_CIP_BAD_PROTO’ at line 784. (IP Version not v4/v6).
An exemplary CIP Header arriving in HAPRoxy looks like this:
0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 0x00 0x00 0x28 0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a 0x70 0x01 0x6b 0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 0x10 0x72 0x10 0xf9 0xfe 0x00 0x00
where the beginning parts are:
Magic Number: 0x00 0x00 0x12 0x67 CIP Length: 0x00 0x00 0x00 0x34 Type: 0x00 0x01 CIP Header size: 0x00 0x28 IP Version: 0x45 0x00 0x00 0x28
Based on this Header and the specificaton from citrix, the code part in HAProxy which analyses, the CIP seems to be incorrect in 2 places:
The “IP Version” bytes start at index 12 as specified by Citrix. Hence the correct increment here would be 12 (instead of 8) in our eyes. We patched the code for testing purposes and with the increment of 12 the IP Version analysis works as expected and also the source ip retrieval worked fine.
The line pointer is incremented by the length of the CIP, hence the pointer should be decremented by the amout used in item 1 (8 or 12, depending what is correct)
Does anyone has a deeper knowledge of NetScaler CIP and can review our findings in order to determine the cause of the problem? Maybe the version of our NetScaler is to new or old?