Users report being unable to access a specific application. Investigation reveals that the NetScaler is resetting the packet with Reset Code 9222 when the server responds to the client’s request.

Disabling the markRfc7230NonCompliantInval parameter will not resolve this issue.

Ensure that the server response does not include both the Transfer-Encoding and Content-Length headers.

Note that with the latest security update, this protection is enabled by default and cannot be disabled.

Problem Cause

NetScaler logs and error counters indicate that it interprets the HTTP response as RFC 7230 non-compliant, specifically related to HTTP Desync protection mechanisms.

Key contributing factors:

• The server response includes both Transfer-Encoding and Content-Length headers.
• According to RFC 7230, these headers must not appear in the same message.
• This behavior is flagged as a potential HTTP Desync Attack.
• NetScaler responds with a Reset Code 9222 to protect from this type of vulnerability.

Examlple http error counters observed

   116      0          4171         5       0 http_err_noreuse_InvalidHeader Thu Mar 13 01:52:47 2025

   119      0          2585         9       1 http_err_rfc7230_desync_ctlen_te Thu Mar 13 01:52:47 2025

According to RFC 7230