App Firewall blocking most web applications after upgrade to 12.1_49+
Article ID: CTX239367
Updated On:
Description
App Firewall blocks requests to all Web Applications since upgrade to 12.1 build 49.23.nc
/var/log/ns.log: Nov 14 04:57:35 <local0.info> 192.168.100.100 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_INV_RFC|6|src=10.10.10.10 spt=31052 method=POST request=https://test.vk.repro/cgi/login msg= Request with Content-Length as Zero cn1=33976 cn2=56514 cs1=App_fw_Prof cs2=PPE1 cs4=ALERT cs5=2018 act=blocked
Resolution
RFC compliance Profile will block the HTTP request with header content length value as Zero 12.1_49.23 considers the Content Length Zero as non RFC compliance. Hence it will block.
Workaround: Bypassing the RFC compliance can allow the traffic even the Content length Zero
Note: This issue will be fixed in the later versions
Inside RFC profile, when POST + Content-length '0' we are blocking the request
Workaround: Bypassing the RFC compliance can allow the traffic even the Content length Zero
Note: This issue will be fixed in the later versions
For eg: POST /cgi/login HTTP/1.1 Accept: */* Accept-Language: da-DK Content-Type: application/text Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Tablet PC 2.0) Host: test.vk.repro Content-Length: zero Connection: Keep-Alive Cache-Control: no-cache
Problem Cause
New feature added on 12.1 build 49+.Inside RFC profile, when POST + Content-length '0' we are blocking the request
Issue/Introduction
After the ADC upgrade to 12.1_49.23, ADC is blocking traffic if App Firewall policy is bound
Was this article helpful?
Yes
No
Powered by
