Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1044
Views
0
Helpful
1
Replies

Citrix ICA tagging over DMVPN

PJ
Level 1
Level 1

‎05-22-2008 11:17 AM - edited ‎02-21-2020 02:02 AM

Has anyone configured NBAR for Citrix ICA priority tagging ?

I have configured NBAR for Citrix ICA priority tagging feature on a 3845 with 12.4(13c) IOS.The citrix server is on a lan g0/0.1 connected to the DMVPN hub router.The citrix admin has configred all the parameters to make ICA priority tagging work on his side. The problem I have is I am not seeing the packets tagged when I access the server over from DMVPN edge router. Whereas the same works when I come from another lan interface g0/1.1 of the DMVPN router. I have used GRE tunneling instead of IPSec DMVPN, but it doesnt work. I am trying to match the packets on the lan interface where the server is connected.

class-map match-any icatag1

match protocol citrix ica-tag "1"

class-map match-any icatag0

match protocol citrix ica-tag "0"

class-map match-any icatag3

match protocol citrix ica-tag "3"

class-map match-any icatag2

match protocol citrix ica-tag "2"

!

policy-map test

class icatag0

set dscp af33

class icatag1

set dscp af32

class icatag2

set dscp af31

class icatag3

set dscp af23

!

interface GigabitEthernet0/0

no ip address

ip nbar protocol-discovery

ip route-cache flow

ip policy route-map citrix

duplex auto

speed auto

media-type sfp

no keepalive

service-policy input test

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1

ip address 10.244.1.250 255.255.255.0

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip policy route-map citrix

service-policy input test

!

Rt1#sh route-map citrix

route-map citrix, permit, sequence 10

Match clauses:

ip address (access-lists): any

Set clauses:

ip df 0

Policy routing matches: 541003 packets, 38532833 bytes

Rt1#sh ip access-lists any

Extended IP access list any

10 permit ip any any (543185 matches)

!

Rt1# sh policy-map int g0/0.1

GigabitEthernet0/0.1

Service-policy input: test

Class-map: icatag0 (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol citrix ica-tag "0"

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set: Feature obj ptr is 70A4F794

dscp af33

Packets marked 0

Class-map: icatag1 (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol citrix ica-tag "1"

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set: Feature obj ptr is 70A4F844

dscp af32

Packets marked 0

Class-map: icatag2 (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol citrix ica-tag "2"

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set: Feature obj ptr is 70A4F8F4

dscp af31

Packets marked 0

Class-map: icatag3 (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol citrix ica-tag "3"

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set: Feature obj ptr is 70A4F9A4

dscp af23

Packets marked 0

Class-map: class-default (match-any)

33892 packets, 2757041 bytes

5 minute offered rate 3000 bps, drop rate 0 bps

Match: any

0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎05-28-2008 12:44 PM

Use this command show policy-map interface interface-name -- in working interface as well as non working interface verify the both the things.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card