I seem to have Globalprotect working fine for access to any internal resource.
The one thing that does not seem to be working is the connection Citrix Receiver (PNAgent legacy version 13.3) makes to our internal Citrix Web Interface / Services site.
I'm getting the error "citrix receiver could not contact the server. please check your network connection"
I'm starting to think this is a Globalprotect issue, because:
Anyone recognise this ? Anything else I can try ?
We had this problem also with some laptops. The issue was udp fragmentation. Some nic's didn't do udp fragmentation.
So they could see loginpage of frontstore of citrix and when logging in they could't coonnect to server backend.
We didn't have pathmtu on the connections and icmp was disabled. Solution was that citrixteam were goging to push smaller mtu on citrixreceiver via the config.xml file
Can you try creating an open policy and deny DTLS application with services set to any(or you can check with application-default) as well and let's see how it behaves. Put that policy on the top for specific users and destinations.
Just below that create a security policy and allow everything for specific users and destinations.
I was somewhere close in accessing the Citrix Receiver remote desktop.
Had this issues in a recent Citrix deployment. Check to see if drop frag udp if set to drop in your zone protection profile for GP. That was my issue. I was able to connect on the receiver but unable to launch apps, would just saying connecting then time out.
You can confirm if this is your issue by doing a pcap of the ip of the vpn client and look at the drops. You will see
"IP Fragmented IP Protocol" UDP/17 being dropped.
Just make a new zone protect policy and make sure ip frag drop is uncheck.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!