We are using a CSS-11501 version 7.5 to load balance SSL connections to a pair of Citrix Web Interface servers. The CSS is connected to a DMZ interface of an ASA5520 on one side, and a 3550 with the web interface servers on the other side. Citrix app servers are in the internal network.
The problem is that users are dropped after 45-75 minutes. If the load balancer is bypassed by suspending the service and connecting to the server IP, the drops stop occurring. Sniffer traces indicate it is the Citrix 1494 connection between the Web server and the internal Citrix server that is being dropped.
Tried extending TCP flow, and sticky timeouts but no change.
Is it possible to disable the NAT function on the 1494 backend connection and still allow load balancing of the 443 client connection?
where and how did you apply the flow-timeout-multiplier ?
You need it under the content rule and under the group.
You can apply nating to a specific port by using ACL.
Instead of doing a 'add destination service' under the group, you leave it empty [except for the vip] and use an acl to decide when to use the group
clause 10 permit tcp any destination content owner/rule sourcegroup