HTTP2 negotiation in Netscaler for HTTPS traffic

The HTTP/2 protocol addresses the limitations in HTTP1.1 by allowing communication to occur with less data transmitted over the network, and providing the ability to send multiple requests and responses across a single connection. At its core, HTTP/2 addresses the key limitations of HTTP/1.1 by using the underlying network connections more efficiently. It changes the way requests and responses travel over the network.

HTTP2 protocol supportability will be negotiated in the SSL handshake between the client and the NetScaler. In the client hello packet the client will send an extension header “application_layer_protocol_negotiation”. This header will contain the information of the supported HTTP versions.

Extension: application_layer_protocol_negotiation (len=14)

Type: application_layer_protocol_negotiation (16)

Length: 14

ALPN Extension Length: 12

ALPN Protocol

ALPN string length: 2

ALPN Next Protocol: h2

ALPN string length: 8

ALPN Next Protocol: http/1.1

HTTP/2 over TLS uses the “h2” protocol identifier. The “h2c” protocol identifier MUST NOT be sent by a client or selected by a server; the “h2c” protocol identifier describes a protocol that does not use TLS.

When the NetScaler sends the Server Hello packet it will be having the same “application_layer_protocol_negotiation” extension header in which it will mention the ALPN protocol which it selects.

Extension: application_layer_protocol_negotiation (len=5)

Type: application_layer_protocol_negotiation (16)

Length: 5

ALPN Extension Length: 3

ALPN Protocol

ALPN string length: 2

ALPN Next Protocol: h2

If NetScaler does not support the HTTP2 negotiation then the NetScaler will send the server hello with the “application_layer_protocol_negotiation” extension header which will have ALPN protocol value as http/1.1

Extension: application_layer_protocol_negotiation (len=11)

Type: application_layer_protocol_negotiation (16)

Length: 11

ALPN Extension Length: 9

ALPN Protocol

ALPN string length: 8

ALPN Next Protocol: http/1.1

A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list. This blacklist of ciphers are mentioned in https://tools.ietf.org/html/rfc7540#appendix-A

As per the RFC7540 Deployments of HTTP/2 that use TLS1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with the P-256 elliptic curve. . In short the NetScaler should be configured in a such a way that it must accept the TLS1.2 ECDHE ciphers so that the server hello which is sent from the NetScaler must have an ECDHE cipher selected. Then only the NetScaler will send the “application_layer_protocol_negotiation” header value as HTTP/2

Related:

NetScaler 11.1 – Services flap on VPX/Interface hands seens on XenServer

VIP’s go down and servers will flap.

Interfaces will miss out from the configuration

sh interface <10/1> command will show ‘Stalls’ and ‘Hangs’ in the output.

eg:

Interface 10/1 (10G vNIC Interface, pNIC 10/5) #0

flags=0xe460 <ENABLED, UP, UP, HAMON, HEARTBEAT, 802.1q>

MTU=1500, native vlan=1, MAC=x:x:x:x:x:x, uptime 0h34m32s

Actual: media FIBER, speed 10000, duplex FULL, fctl NONE, throughput 10000

LLDP Mode: NONE, LR Priority: 1024

RX: Pkts(63484) Bytes(4422612) Errs(0) Drops(15467) Stalls(0)

TX: Pkts(58915) Bytes(2474502) Errs(0) Drops(1) Stalls(67)

NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(2) Muted(0)

Bandwidth thresholds are not set.

Interface 10/2 (10G vNIC Interface, pNIC 10/6) #1

flags=0x6640 <ENABLED, DOWN, down, HEARTBEAT, 802.1q>

LACP <Active, Long timeout, key 2, priority 32768>

MTU=1500, MAC=x:x:x:x:x:x, downtime 8h19m02s

LLDP Mode: NONE, LR Priority: 1024

RX: Pkts(11762) Bytes(1144780) Errs(0) Drops(9694) Stalls(0)

TX: Pkts(115) Bytes(14434) Errs(0) Drops(0) Stalls(4)

NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(3) Muted(0)

Bandwidth thresholds are not set.

corresponding eth interface mapping :

eth2″, “mtu” : 1500, “port” : “10/7”

eth3″, “mtu” : 1500, “port” : “10/8”

eth5″, “mtu” : 1500, “port” : “10/6” <—————– This wil be marked as DOWN on VPX

eth4″, “mtu” : 1500, “port” : “10/5”

newnslogs shows below info:

ns.log.8:Oct 29 21:55:58 <local0.notice> 10.x.x.x/29/2017:16:25:58 GMT hostname 0-PPE-2 : default EVENT DEVICEDOWN 3168881 0 : Device “interface(10/2)” – State DOWN

ns.log.8:Oct 29 21:55:58 <local0.notice> 10.x.x.x 10/29/2017:16:25:58 GMT hostname 0-PPE-1 : default EVENT DEVICEDOWN 3212975 0 : Device “interface(10/2)” – State DOWN

ns.log.8:Oct 29 21:55:58 <local0.notice> 10.x.x.x 10/29/2017:16:25:58 GMT hostname 0-PPE-0 : default EVENT DEVICEDOWN 1351999 0 : Device “interface(10/2)” – State DOWN

Xenserver kernlog shows below info:

cat kern.log | grep “Detected Tx Unit Hang”

Oct 28 21:13:38 netscaler-sdx kernel: [11487774.550966] ixgbe 0000:08:00.1 eth3: Detected Tx Unit Hang

Oct 28 23:26:42 netscaler-sdx kernel: [ 368.183337] ixgbe 0000:0b:00.1 eth5: Detected Tx Unit Hang

Oct 29 09:36:20 netscaler-sdx kernel: [36946.735328] ixgbe 0000:0b:00.1 eth5: Detected Tx Unit Hang

Fake hang logs:

eg:

Oct 23 05:50:35 netscaler-sdx kernel: [11000391.898410] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Oct 23 06:21:20 netscaler-sdx kernel: [11002236.890412] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Oct 23 06:50:46 netscaler-sdx kernel: [11004003.034410] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Oct 23 07:21:31 netscaler-sdx kernel: [11005848.026412] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Oct 23 07:49:37 netscaler-sdx kernel: [11007534.042409] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Oct 23 08:17:42 netscaler-sdx kernel: [11009219.034410] ixgbe 0000:0b:00.0 eth4: Fake Tx hang detected with timeout of 80 seconds

Related:

SecureWeb error posting web form “Your username is blank, please re-enter”

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

How to Manually Stop the nstrace Process on a NetScaler Appliance

This article contains information about manually terminating the nstrace processes on a NetScaler appliance.

Background

When simultaneously recording multiple network packet trace files on a NetScaler appliance, it might not be possible to terminate all trace files. For example, you might notice some issues in using the configuration utility or the client connection to the appliance might terminate. Recording a trace file on an appliance starts the following processes, which you can display from the shell prompt:

  • /netscaler/nstraceaggregator

  • /bin/sh /netscaler/nstrace.sh

You can run the following command to terminate the process of recording a trace file:

nstrace.sh –stop

If the preceding command fails, you might have to manually terminate the processes.

You need to terminate both processes to stop recording packet traces. If you unintentionally leave a trace process running, the trace file might reach an unmanageable size. These trace files can eventually fill the hard disk space, which might cause irregularities in the appliance behavior.

Related:

Secure Hub with iOS 11 will not upgrade on first attempt if Network Extension (VPN) is On

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Receiver for Windows 4.10 Context Menu Mouse Click Issue

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Unable to edit the SharePoint documents through browser or word via NetScaler.

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

NetScaler not sending username and password in UPN format

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Microsoft Security Patch Validation Report December 2017

Microsoft’s December 2017 security updates have passed Citrix testing (the updates are listed below). The testing is not all-inclusive; all tests are executed against English only environments and issues may still be found upon implementation. Follow best practices for testing and installing software updates/patches in a development environment before implementing the updates in a production environment.

Where applicable, the below updates were tested with Citrix XenApp, XenDesktop and other Citrix products.

Product KB Article
Windows 10 v1709 (Fall Creators Update) 4054517
Windows 10 v1703 (Creators Update) 4053580
Windows 10 v1607 (Anniversary Update) and Windows Server 2016 4053579
Windows 10 v1511 4053578
Windows 10 v1507 LTSB 4053581
Windows 7 SP1 and Windows Server 2008 R2 SP1 Monthly rollup 4054518, 4054521
Windows 8.1 and Windows Server 2012 R2 Monthly rollup 4054519, 4054522,
Internet Explorer 11 4054519, 4052978, 4054518
Microsoft Office 4011614, 4011612, 4011590, 4011575, 4011277, 4011095
Adobe Flash Player 4053577

Note: Following patches were not selected for validation

Windows Vista and Windows Server 2008 4053473, 4052978, 4052303
Windows Server 2012 4054520, 4052978, 4054523
SharePoint Server 4011576
Exchange 4045655
Office 2007 and older 4011608

The November 2017 updates and later for Windows 10 v1511, v1607 and v1703 contains fix v1709 upgrade issue when Citrix VDA is already installed. More information available on Windows 10 v1709 known issues article

Visit the Microsoft Security TechCenter page to view Microsoft security updates.

Additional Resources

Citrix Interoperability Validation

Related:

Citrix App Layering 4.x: PVS Connector (BootPrivate)

Software Solution Disclaimer

This package contains a software solution that has been replaced by a more recent version available for download from the Citrix support website (support.citrix.com). It is provided merely for your convenience. Citrix recommends applying the most up-to-date version of the software, which addresses the fix or enhancement being targeted. Later versions of the release may include multiple changes that address different areas including security vulnerabilities, code fixes, and enhancements. Installation of this software should only be performed on test or developmental environments. This software is not supported and is provided “AS IS.” You are solely responsible for your selection and use of the software. Any reported issues will require the most current revision of the software (http://www.citrix.com/English/SS/supportThird.asp?slID=5107&tlID=1861652). Please visit our security site for additional security notices and information (support.citrix.com/securitybulletins ).

CITRIX MAKES NO REPRESENTATIONS OR WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE PROVIDED SOFTWARE SOLUTION. THE SOFTWARE SOLUTIONS ARE DELIVERED ON AN “AS IS” BASIS WITH NO SUPPORT. YOU SHALL HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACK-UP OF ANY DATA USED IN CONNECTION WITH THE SOFTWARE SOLUTION. IN NO EVENT SHALL CITRIX BE LIABLE FOR (i) SPECIAL, INDIRECT, DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR (ii) ANY OTHER CLAIM, DEMAND OR DAMAGES WHATSOEVER RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE SOLUTION, WHETHER AN ACTION IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, OR OTHERWISE.

Related: