topic Re: Citrix Receiver on Globalprotect in General Topics

Citrix Receiver on Globalprotect

dieter_b — Wed, 16 Oct 2013 14:10:09 GMT

I seem to have Globalprotect working fine for access to any internal resource.

The one thing that does not seem to be working is the connection Citrix Receiver (PNAgent legacy version 13.3) makes to our internal Citrix Web Interface / Services site.

I'm getting the error "citrix receiver could not contact the server. please check your network connection"

I'm starting to think this is a Globalprotect issue, because:

On the internal LAN everything is fine.
Using an old style Windows VPN that terminates on one of our DC's, everything is fine.
The only difference with GP is that GP clients terminate at the firewall, so traffic has an extra route to the Citrix servers.
I can actually download the Citrix config.xml file over GP VPN. That's the file the Citrix client uses to find what resources are available.
All related Citrix servers (portal, xenapp servers) are all reachable over GP. Name resolution is fine (both netbios and fqdn names).
Policy is in testing phase, so everything between the GP zone and trusted zone is allowed.

Anyone recognise this ? Anything else I can try ?

Re: Citrix Receiver on Globalprotect

Infra_SRV — Thu, 26 Mar 2020 14:04:50 GMT

We had this problem also with some laptops. The issue was udp fragmentation. Some nic's didn't do udp fragmentation.

So they could see loginpage of frontstore of citrix and when logging in they could't coonnect to server backend.

We didn't have pathmtu on the connections and icmp was disabled. Solution was that citrixteam were goging to push smaller mtu on citrixreceiver via the config.xml file

Re: Citrix Receiver on Globalprotect

gpandit — Tue, 28 Jul 2020 23:09:40 GMT

Can you try creating an open policy and deny DTLS application with services set to any(or you can check with application-default) as well and let's see how it behaves. Put that policy on the top for specific users and destinations.

Just below that create a security policy and allow everything for specific users and destinations.

I was somewhere close in accessing the Citrix Receiver remote desktop.

Re: Citrix Receiver on Globalprotect

andresee — Fri, 21 Aug 2020 10:04:59 GMT

Had this issues in a recent Citrix deployment. Check to see if drop frag udp if set to drop in your zone protection profile for GP. That was my issue. I was able to connect on the receiver but unable to launch apps, would just saying connecting then time out.

You can confirm if this is your issue by doing a pcap of the ip of the vpn client and look at the drops. You will see

"IP Fragmented IP Protocol" UDP/17 being dropped.

Just make a new zone protect policy and make sure ip frag drop is uncheck.

Re: Citrix Receiver on Globalprotect

KiranO — Tue, 05 Jan 2021 10:23:36 GMT

Hi Andresee,

I can't seem to find this option under Zone Protection. Could you please point me to the right location?

Thanks

Re: Citrix Receiver on Globalprotect

lfraij — Fri, 19 Apr 2024 19:26:12 GMT

This worked for me ! thanks