cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
1
Replies

Citrix ICA traffic through VPN between PIX 501 and 3005 concentrator

thult
Level 1
Level 1

I have BIG problems with user disconnects over a PIX-concentrator VPN setup:

Pix 501 on ADSL connection (static IP-address) (on branch office)

3005 concentrator on head office.

3DES both on IKE and IPSEC-levels. MD5, group1

Both PIX and Concentrator uses IKE keepalive.

My problem is that the users Citrix-connections get lost randomly (they receive a box that counts down and asks them to reconnect again).

This is very random, different users, different times. (at least 4-5 times a day)

They can get the reconnect box even when they are working in the Citrix-session.

Citrix Metaframe 1.8.

They do have another VPN to another branch office with a PIX 501. It´s working perfectly there. They are using DES on IKE and IPSEC.

I have tried to lower the mtu on the PIX to 1400. Software version 6.2(2).

Software version on concentrator: 3.6.6

Here´s part of the PIX-config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname XXXX

domain-name XXXX.COM

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list VPN_MAIN permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_outside_nat0 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp deny any outside

mtu outside 1400

mtu inside 1500

ip address outside X.X.X.X 255.255.255.252

ip address inside 192.168.1.0 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 900

global (outside) 1 interface

nat (inside) 0 access-list inside_outside_nat0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 X.X.X.X

timeout xlate 3:00:00

timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

crypto map VPN_OUTSIDE 10 ipsec-isakmp

crypto map VPN_OUTSIDE 10 match address VPN_MAIN

crypto map VPN_OUTSIDE 10 set peer X.X.X.X

crypto map VPN_OUTSIDE 10 set transform-set ESP-3DES

crypto map VPN_OUTSIDE interface outside

isakmp enable outside

isakmp key ********* address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 15

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Could it be a fragmentation error ? Or just a bug ? I searched through the bug toolkit and found lots of bugs in the 6.2(2) software. A lot of the bugs where fixed in version 6.2(3), but that is not avaliable for download......

1 Reply 1

smahbub
Level 6
Level 6

Bug CSCdr48890 does talk of problems arising when using Citrix in conjunction with the VPN 3000 client. (Also refer to bug CSCdr63713). The workaround was to set mtu to less than 1400 which you seem to have done already. The first thing you need to do then is to figure out is if the problem is observed only with user-citrix connections accross the tunnel or for all kinds of traffic. It would also be a good idea to observe the user-citrix connections while traffic is not being tunneled accross. This will mean a lot of work and you also need to be sure about the impact that might have on your security, but this would help you figure out if the problem has anything to do with your VPN. If the problem is with the VPN connectivity, the only possible reason that I can think of is that the numbers of users behind your 501, exceed the licence you have purchased.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: