CSS and Citrix Access Gateway issue

robert.mcclain · ‎10-18-2010

A customer just bought 2 new CAG's and is trying to use them thru a CSS. The CAG VPN and website is very flaky, the VPN connects then disconnects etc. The web site running on them displays the "under construction" page, but when you go to it directly it works, it goes to a log on page. I am not sure what to look for here, the flows on the CSS look correct. The traffic from the internet to the CAG's get a PAT address of 172.27.106.x, the CSS, CAG VIP and real addresses are all on the same internal subnet as the PAT. So in bound traffic gets a PAT of 172.27.106.x --> Vip Address 172.27.106.x --> CAG server real address --> 172.27.106.x, the CAG responds back to the 172.27.106.x address which proceeds back out the firewall. I wondered if the CAG's have an issue with the source traffic being Pat'd. Anyone have any experience with these CAG devices?

Daniel Arrondo Ostiz · ‎10-18-2010

Hi Robert,

I don't have experience with the CAG servers you mentioned, but, on the CSS, most of the connection instability issues are related to a flow timeout. The CSS will time out connections after 16 seconds of inactivity, and after a session has been timed out, it can be closed any time.

One quick thing you could try would be configuring a bigger timeout for the affected content rules with the "flow-timeout-multiplier " command. This command takes a parameter a number that will get multiplied by the default 16 seconds to get to the final timeout value. I would recommend you to set the multiplier to 450, which would give you a 2 hour inactivity period before, and then see if the situation improves.

robert.mcclain · ‎10-18-2010

Daniel,

Thanks for the reply. That maybe the reason for the instability for the VPN connection but I don't know if it applies to the web site issue, but I will add that multiplier and have them test it.