Citrix Receiver on Globalprotect

Reply
L4 Transporter

Citrix Receiver on Globalprotect

I seem to have Globalprotect working fine for access to any internal resource.

The one thing that does not seem to be working is the connection Citrix Receiver (PNAgent legacy version 13.3) makes to our internal Citrix Web Interface / Services site.

I'm getting the error "citrix receiver could not contact the server. please check your network connection"

I'm starting to think this is a Globalprotect issue, because:

  • On the internal LAN everything is fine.
  • Using an old style Windows VPN that terminates on one of our DC's, everything is fine.
    The only difference with GP is that GP clients terminate at the firewall, so traffic has an extra route to the Citrix servers.
  • I can actually download the Citrix config.xml file over GP VPN. That's the file the Citrix client uses to find what resources are available.
  • All related Citrix servers (portal, xenapp servers) are all reachable over GP. Name resolution is fine (both netbios and fqdn names).
  • Policy is in testing phase, so everything between the GP zone and trusted zone is allowed.

Anyone recognise this ? Anything else I can try ?

Tags (2)
L1 Bithead

We had this problem also with some laptops. The issue was udp fragmentation. Some nic's didn't do udp fragmentation.

So they could see loginpage of frontstore of citrix and when logging in they could't coonnect to server backend.

We didn't have pathmtu on the connections and icmp was disabled. Solution was that citrixteam were goging to push smaller mtu on citrixreceiver via the config.xml file

L1 Bithead

Can you try creating an open policy and deny DTLS application with services set to any(or you can check with application-default) as well and let's see how it behaves. Put that policy on the top for specific users and destinations.

Just below that create a security policy and allow everything for specific users and destinations.

 

I was somewhere close in accessing the Citrix Receiver remote desktop.

L0 Member

Had this issues in a recent Citrix deployment.  Check to see if drop frag udp if set to drop in your zone protection profile for GP. That was my issue. I was able to connect on the receiver but unable to launch apps, would just saying connecting then time out. 

You can confirm if this is your issue by doing a pcap of the ip of the vpn client and look at the drops. You will see 

 "IP Fragmented IP Protocol" UDP/17 being dropped.

Just make a new zone protect policy and make sure ip frag drop is uncheck. 

 

L0 Member

Hi  Andresee,

 

I can't seem to find this option under Zone Protection. Could you please point me to the right location?

 

Thanks

 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!