Netscaler 11.1 - Headers Corrupted when Load Balancing IPv6 to IPv4 Backend and Client IP is Enabled

Netscaler 11.1 - Headers Corrupted when Load Balancing IPv6 to IPv4 Backend and Client IP is Enabled

book

Article ID: CTX223307

calendar_today

Updated On:

Description

HTTP header gets corrupted when using a load balancer with IPv6 front end and IPv4 backend.
Client IP field inserted in the header in requests forwarded to the service. 

add serviceGroup XXXXXX HTTP -td xx [...] -cip ENABLED X-Forwarded-For

Several space characters (0x20) are added at the end of "X-Forwarded-For" header field.
Client IP field is 32 bit long, thus when IP is in the format of 123.123.123.123, there would be no space characters. But if IP is shorter that 32 bits, there would be spaces at the end.

The rest of original header fields are not inserted in the HTTP packet after that.

Resolution

  • Upgrade to 11.1 54.14
  • Add a rewrite policy which will insert the Client IP (X-Forwarded-For field) into the header:
enable ns feature REWRITE
add rewrite action RewActCliIp insert_http_header X-Forwarded-For CLIENT.IP.SRC
add rewrite policy RewIntCliIp true RewActCliIp
bind lb vserver VS_web -policyName RewIntCliIp -priority 100 -gotoPriorityExpression END -type REQUEST
  • Avoid using the CIP functionality (X-Forwarded-For field)

Problem Cause

The NetScaler appliance sends malformed HTTP headers to the server if insertion of the client address is configured on a service in a non-default traffic domain (TD).
[From Build 53.13] [# 675352]

Additional Information

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS-11-1-54-14.html
Powered by Wolken Software