Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5510 Citrix Session Reliability

My company has a cisco ASA 5510 and we have a Citrix remote desktop solution.

In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ.

There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443.

A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.

In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443.

We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.

Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.

I can provide additional information for the issue or clarify any point. I would like to know if anyone has had this issue or have any ideas I can try.

Everyone's tags (4)
Community Member

Cisco ASA 5510 Citrix Session Reliability

I stripped down the configuration and am posting it below. 

ASA5510# sh run
: Saved
ASA Version 8.2(1)
terminal width 120
hostname ASA5510

interface Ethernet0/0
nameif outside
security-level 0
ip address XXXX
interface Ethernet0/1
nameif DMZ
security-level 50
ip address
interface Ethernet0/2
description internal
speed 100
nameif Inside
security-level 100
ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS

object-group service Session_reliability tcp
description https & 2598 into the DMZ
port-object eq 2598
port-object eq https

access-list outside_in extended permit tcp any host XX.XX.203.120 eq https log

access-list outside_in extended permit tcp any host XX.XX.203.120 eq 2598 log

access-list in_out extended permit ip any any
access-list in_out extended permit icmp any any
access-list Inside_nat0_outbound extended permit ip any
access-list DMZ_nat0_outbound extended permit ip
access-list splitTunnelAcl extended permit ip any

access-list dmz_in extended permit tcp host any object-group Session_reliability log
tcp-map mss-tcp-map
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap warnings
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Backup 1500
mtu management 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.203.121
global (DMZ) 1 xx.xx.203.126
global (Backup) 1 XX.250.173.86
nat (DMZ) 1
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1

static (DMZ,outside) xx.xx.203.120 netmask norandomseq

access-group outside_in in interface outside
access-group dmz_in in interface DMZ
access-group in_out in interface Inside
access-group Backup_in in interface Backup
route outside xx.xx.203.97 1 track 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy

sysopt connection timewait
sla monitor 123
type echo protocol ipIcmpEcho xx.xx.203.85 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
service resetinbound interface outside
service resetinbound interface DMZ
service resetinbound interface Inside
service resetoutside

track 1 rtr 123 reachability

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXX internal
group-policy XXXX attributes

class-map inspection_default
match default-inspection-traffic
class-map mss-class-map
match access-list mss_acl
policy-map type inspect dns preset_dns_map
  message-length maximum 2048
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect pptp
  inspect http
  inspect ils
  inspect icmp
  inspect icmp error
class mss-class-map
  set connection advanced-options mss-tcp-map
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 2048
service-policy global_policy global
prompt hostname context
: end

CreatePlease to create content