I have two sites in my network that have a DSL link to the Internet which they use to connect via VPN to Head Office. They both have a PIX 501 and use Citrix. They both have an ISDN link for back-up. Over the VPN, both sites are experiencing periodic "drops". They lose their Citrix sessions. over the ISDN back-up link, they never have the problem. We have had both DSL circuits checked and they always come back clean. These are the only two sites in a 50 site network using VPN and the only two sites having problems.
Are there some parameters I should be changing to compensate for Citrix over VPN?
I am not sure that it is the issue here, but a frequent problem with running over VPN is the additional header length introduced by IPSec. If the application is sending max size frames (or near max size) the additional header of IPSec may mean that the frame may require fragmentation. If the application sends the frame with the dont frament bit set (and many TCP applications do this) it may mean that the packets will be dropped since they need fragmentation but can not be fragmented.
You might try decreasing the segment size of the end stations (or look for some parameter within Citrix) and see if it improves things.
I did some ping tests and found that at 1272 bytes, the packet did not get fragmented but at 1273, it did. I have changed the tcpmss value on the PIX from 1380 to 1200. I'll let you know if that fixes the problem.
We believe we have found the problem. The host site connects to one carrier, the remote site connects to a second carrier but between the first and second carrier, there is a third carrier. the problem is an intermittent latency problem in the third carrier's network causing delays to jump to 800 ms periodically.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...