Cisco ASA 5510 Citrix Session Reliability

Unanswered Question
Sep 12th, 2011

My company has a cisco ASA 5510 and we have a Citrix remote desktop solution.

In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ.

There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443.

A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.

In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443.

We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.

Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.

I can provide additional information for the issue or clarify any point. I would like to know if anyone has had this issue or have any ideas I can try.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
matthew.laguna Mon, 09/12/2011 - 08:18

I stripped down the configuration and am posting it below. 

ASA5510# sh run
: Saved
:
ASA Version 8.2(1)
!
terminal width 120
hostname ASA5510
domain-name XXXX.com

names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXXX 255.255.255.224
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.252.1 255.255.255.0
!
interface Ethernet0/2
description internal
speed 100
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.254.0
!!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name XXX.com

object-group service Session_reliability tcp
description https & 2598 into the DMZ
port-object eq 2598
port-object eq https

access-list outside_in extended permit tcp any host XX.XX.203.120 eq https log

access-list outside_in extended permit tcp any host XX.XX.203.120 eq 2598 log

access-list in_out extended permit ip any any
access-list in_out extended permit icmp any any
access-list Inside_nat0_outbound extended permit ip any 192.168.231.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.252.0 255.255.255.0 192.168.231.0 255.255.255.0
access-list splitTunnelAcl extended permit ip 192.168.252.0 255.255.255.0 any

access-list dmz_in extended permit tcp host 192.168.252.31 any object-group Session_reliability log
!
tcp-map mss-tcp-map
!
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap warnings
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Backup 1500
mtu management 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.203.121
global (DMZ) 1 xx.xx.203.126
global (Backup) 1 XX.250.173.86
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) xx.xx.203.120 192.168.252.31 netmask 255.255.255.255 norandomseq

access-group outside_in in interface outside
access-group dmz_in in interface DMZ
access-group in_out in interface Inside
access-group Backup_in in interface Backup
route outside 0.0.0.0 0.0.0.0 xx.xx.203.97 1 track 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy


sysopt connection timewait
sla monitor 123
type echo protocol ipIcmpEcho xx.xx.203.85 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
service resetinbound interface outside
service resetinbound interface DMZ
service resetinbound interface Inside
service resetoutside

!
track 1 rtr 123 reachability

!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy XXXX internal
group-policy XXXX attributes

!
class-map inspection_default
match default-inspection-traffic
class-map mss-class-map
match access-list mss_acl
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 2048
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect pptp
  inspect http
  inspect ils
  inspect icmp
  inspect icmp error
class mss-class-map
  set connection advanced-options mss-tcp-map
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 2048
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c997548110198dc8fb075a1556c12289
: end
ASA5510#

Actions

Login or Register to take actions

This Discussion

Posted September 12, 2011 at 6:38 AM
Stats:
Replies:1 Avg. Rating:
Views:1499 Votes:0
Shares:0

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446