My company has a cisco ASA 5510 and we have a Citrix remote desktop solution.
In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ.
There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443.
A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.
In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443.
We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.
Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.
I can provide additional information for the issue or clarify any point. I would like to know if anyone has had this issue or have any ideas I can try.
access-list in_out extended permit ip any any access-list in_out extended permit icmp any any access-list Inside_nat0_outbound extended permit ip any 192.168.231.0 255.255.255.0 access-list DMZ_nat0_outbound extended permit ip 192.168.252.0 255.255.255.0 192.168.231.0 255.255.255.0 access-list splitTunnelAcl extended permit ip 192.168.252.0 255.255.255.0 any
access-list dmz_in extended permit tcp host 192.168.252.31 any object-group Session_reliability log ! tcp-map mss-tcp-map ! pager lines 24 logging enable logging timestamp logging monitor debugging logging trap warnings logging asdm informational mtu outside 1500 mtu DMZ 1500 mtu Inside 1500 mtu Backup 1500 mtu management 1500
icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 xx.xx.203.121 global (DMZ) 1 xx.xx.203.126 global (Backup) 1 XX.250.173.86 nat (DMZ) 1 0.0.0.0 0.0.0.0 nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 1 0.0.0.0 0.0.0.0
sysopt connection timewait sla monitor 123 type echo protocol ipIcmpEcho xx.xx.203.85 interface outside num-packets 3 frequency 10 sla monitor schedule 123 life forever start-time now service resetinbound interface outside service resetinbound interface DMZ service resetinbound interface Inside service resetoutside
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...