[BUG] LB timeout 0 not being honored

[reckio123]

If you apply the following lb configuration that leverage 0 that is a valid timeout for COOKIEINSERT, the provider does not configured it and uses the default 2 minites.

---

terraform {
required_providers {
citrixadc = {
source = "citrix/citrixadc"
version = "1.35.0"
}
}
}

provider "citrixadc" {
endpoint = "https://192.168.0.141"
username = "nsroot"
password = "Citrix123"
insecure_skip_verify = true
}

resource "citrixadc_lbvserver" "sf_vip" {
name = "SF_VIP"
ipv46 = "10.10.10.11"
port = 443
servicetype = "SSL"
persistencetype = "COOKIEINSERT"
timeout = 0
}

terraform apply -auto-approve

---

sh lb vserver SF_VIP
SF_VIP (10.10.10.11:443) - SSL Type: ADDRESS
State: DOWN[Certkey/Certkeybundle not bound]
Last state change was at Wed Jul 19 15:08:37 2023
Time since last state change: 0 days, 00:03:06.50
Effective State: DOWN
Client Idle Timeout: 180 sec
Down state flush: ENABLED
Disable Primary Vserver On Down : DISABLED
Appflow logging: ENABLED
No. of Bound Services : 0 (Total) 0 (Active)
Configured Method: LEASTCONNECTION BackupMethod: ROUNDROBIN
Mode: IP
Persistence: COOKIEINSERT (version 0) Persistence Timeout: 2 min
Vserver IP and Port insertion: OFF
Push: DISABLED Push VServer:
Push Multi Clients: NO
Push Label Rule: none
L2Conn: OFF
Skip Persistency: None
Listen Policy: NONE
IcmpResponse: PASSIVE
RHIstate: PASSIVE
New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0
Mac mode Retain Vlan: DISABLED
DBS_LB: DISABLED
Process Local: DISABLED
Traffic Domain: 0
TROFS Persistence honored: ENABLED
Retain Connections on Cluster: NO
Order Sequence: ASCENDING
Current Active Order: None
Done

[kevinmarino]

Running into this same thing

terraform {
required_providers {
citrixadc = {
source = "citrix/citrixadc"
version = "1.36.0"
}
}
}

resource "citrixadc_lbvserver" "tf_lbvserver" {
name = local.fullvipname
ipv46 = "0.0.0.0"
port = "0"
servicetype = "SSL"
persistencetype = "COOKIEINSERT"
timeout = 0
clttimeout = 180
httpprofilename = "http_standard"
comment = "${var.data.params.supportgroup}"
}

Defaults to 2 mins instead of 0.

Setting it to some other timeout value works, changing it back to 0 produces this error

│ Error: [ERROR] netscaler-provider: Error updating lbvserver vst-HS-ServiceName-ServiceComponent-INT-M1
│
│ with module.Webvip.citrixadc_lbvserver.tf_lbvserver,
│ on modules\webvip2\main.tf line 83, in resource "citrixadc_lbvserver" "tf_lbvserver":
│ 83: resource "citrixadc_lbvserver" "tf_lbvserver" {
│

Any idea on when the provider will get corrected to allow COOKIEINSERT 0?

[kaiAsmOne]

I dont know what has changed or how to "fix" this.

Until recently when using cookieinsert with a timeout = 0 made the cookie a session cookie.

I ran into the same issue while back but i noticed this is a change in the Netscaler software and not a terraform provider / nitro api issue. You can no longer set timeout = 0 in gui or cli either.

This change raises another question:

How do we implement session cookies and not a cookie with a fixed expiry time ?

[sumanth-lingappa]

@kaiAsmOne, @reckio123, @Toasty-Roach

What is the netscaler version you are using?

To get the netscaler version, you can run show version in netscaler cli

[kevinmarino]

show version
NetScaler NS13.1: Build 49.13.nc, Date: Jul 10 2023, 12:00:59 (64-bit)
Done

[kevinmarino]

@sumanth-lingappa, @rohit-myali

I believe the issue can be identified here in the resource_citrixadc_lbvserver.go code -- Line 137 sepcifically.
https://github.com/citrix/terraform-provider-citrixadc/blame/2edd6f1979b27b9f4cbd1943be3f8f57e807e017/citrixadc/resource_citrixadc_lbvserver.go#L137

Notes from the Git Blame:
3 months ago
Formatted all the go file using gofmt Timeout int json:"timeout,omitempty" // Included Omitempty flag, because it doesnot support 0 value

The comments clearly show that timeout does not support 0 value, however with CookieInsert it does.

[kaiAsmOne]

@Toasty-Roach : you need to upgrade your netscaler ASAP. The CVE with 9.3 score..
You need to go to 13.1 49.15 if it is internet exposed or you will get pwnd..

@sumanth-lingappa : To answer you question it was the 13.1 version we had to upgrade to this summer due to the other CVE with a really high like 9+ something.. It does not matter anymore. i tried with 13.1 49.15 and i can set timeout to 0 again and get a session cookie in the Netscaler GUI / CLI..

I can also confirm what @Toasty-Roach says.. i can not set timeout = 0.. And it is the terreform provider when using proper netscaler build.

(I used quite a few hours earlier this summer chasing why this was not working until i noticed the same issue was present in gui / cli. I currently have all my apps set to cookietimeout = 60 minutes and i would love to get session cookies again using the terraform provider)

[rohit-myali]

Hello @reckio123 @kaiAsmOne
It is now resolved from the terraform-provider end that the timeout now accepts 0 and if no value is given, then it keeps the default as 2.
Please use the latest terraform provider citrixadc v1.37.0

[kevinmarino]

This is an issue on provider version 1.39.0 again. Setting a COOKIEINSERT persistence timeout of 0 is not honored.