I finally got the vpn working between a PIX and Netscreen. Client can hit the Citrix web server on port 80 on the remote side just fine. Can ping the web server, too.
However, when I actually try to launch the citrix.ica.asp file via a web browser, I get an error message that the remote citrix server is not responding. However when we test it from another remote site through a vpn tunnel, it works just fine.
I've applied sysopt permit ipsec.
When I clear the counters (clear ipsec sa counters) and run traffic through the tunnel, I don't see any errors on sh ipsec sa for that peer.
Any other hints?