Virtual Service Traffic dropped due to Error:"Client sent duplicate Header"
search cancel

Virtual Service Traffic dropped due to Error:"Client sent duplicate Header"

book

Article ID: 423250

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • When a request contains duplicate HTTP headers, the Avi Service Engine may reject and log the request as "client sent duplicate header". To confirm which specific header is duplicated, you can use either VS packet capture or VS debug logs. This article explains both approaches and how to interpret the results.

 

VS log: 

Cause

  • The issue occurs when the client sends duplicate HTTP header fields in a single request (for example, multiple Authorization headers with different values). As per HTTP request processing rules, duplicate headers are treated as invalid.
  • When the Avi Service Engine detects such duplicate headers during request parsing, it rejects the request and responds with an HTTP 400 (Bad Request) error to prevent ambiguous or potentially unsafe request handling.
  • This behavior is expected and dropped by the SE before the request is forwarded to the backend application.

Resolution

Option 1: Capture VS PCAP

When the issue is reproducible, capture a Virtual Service PCAP at the time of occurrence.
This allows you to inspect the HTTP request directly and verify whether the same header appears multiple times in the request sent by the client.

This approach is useful when you want packet-level confirmation of the client behavior.

Refer this techdoc: VS Pcap

 

 

Option 2: Use Virtual-Service Debug Logs 

An easier and more definitive method is to collect VS debugs and review the se_debug.INFO file on the impacted Service Engine.

The Service Engine logs explicitly identify duplicate headers and provide:

  • The header name

  • The duplicate value

  • The previously received value

Steps:

Enable debug on Leader Controller

> debug virtualservice <vs-name>
debugvirtualservice> flags flag debug_vs_all
debugvirtualservice:flags> save
debugvirtualservice> save


Reproduce the issue
Wait until the log entry “client sent duplicate header” is observed.

Disable debug

> debug virtualservice <vs-name>
> no flags flag debug_vs_all
> save


Log in to the Service Engine and collect logs

> attach serviceengine <se-name>
sudo -i
grep -i duplicate /opt/avi/log/glog/se_debug*


Outcome:
The SE debug logs will identify the duplicate HTTP header causing the 400 error.

 

 

Sample Log Entry Explanation

 

Example from se_debug.INFO:

 
error [0] - client sent duplicate header line: "Authorization: Basic token2", previous value: "Authorization: Basic token1"

 

This log indicates:

  • The client sent the Authorization header more than once.

  • The first value was Authorization: Basic token1.

  • A second Authorization header with value Basic token2 was received, which triggered the error.

 

 

The se_debug.INFO file is the most reliable way to confirm duplicate HTTP headers, as it clearly identifies both the header name and conflicting values. If further validation is needed, a VS PCAP can be used to corroborate the client-side behavior.

This information can then be shared with the application team to correct the request formatting at the source.

Powered by Wolken Software