Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Citrix client fail - invalid license

PIX 515E, 7.1(2)

Existing Citrix clients on Inside, can connect to a Citrix Server on the outside. This is an older CITRIX version, been running for over 3 years without issues.

New installs of the client fail, seem the Citrix license key is not transfering. I did some captures, traffic flows both ways, a reset packet is sent from the Citrix Server around packet 60. A cleaned configuration is attached. Anyone see anything similar to this?

  • Other Security Subjects
New Member

Re: Citrix client fail - invalid license

Hi Russel,

Took a look to your config. Seem's ok to me. You might be running into this bug. CSCse38062

ICA Client users cannot connect to Citrix through WebVPN


When the ICA client tries to connect through WebVPN to an internal Citrix

server the following error is displayed:

Cannot connect to the Citrix MetaFrame Server.

SSL Error 4: The proxy denied access to ;#####; port 1494

Packet captures at the ASA's inside interface show the ASA attempting to

connect to the Citrix server over port 54789. The ASA sends a TCP-SYN to the

Citrix server over TCP-54789 and then the Citrix servers sends a TCP RST since

its not listening on that port.


Cisco ASA running release 7.1.2.



Please also note xlate and conn timeout seem to be pretty high on your conf. Under heavy traffic condition, it might cause a memory exhaust on your pix.



Re: Citrix client fail - invalid license

Thank you for this information. We have since found that there is an issue on the Citrix Servier, the outside agency administrator was able to duplicate the issue and is working a resolution.All communication to/from the Citrix was on port 1494, so I don't think this bug would have been the issue if it was on the firewall.

In regards to the xlate and conn timeouts, our traffic levels are fairly low, and because of some legacy main-frame connectivity, needed a large timeout to keep from hanging sessions on these mainframes.

Again, thanks for the help.

This widget could not be displayed.