MS-SQL Issues with 8656-7766 Dynamic Update? Citrix-Director seems to have broken it

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

MS-SQL Issues with 8656-7766 Dynamic Update? Citrix-Director seems to have broken it

L1 Bithead

So, this morning, all going swell. P1. Hm, okay. Looks like an application issue, SQL related. Nothing on the firewall or policies were touched.


The policy is using Layer 7 App-ID MS-SQL to get a server to communicate with the MSSQL server over TCP-1433.


At the end of the day I had an idea to remove protect profiles and drop from Layer7 to Layer4. Seemed to fix the issue - strange. Added protect profiles - still worked. Remove service ports 1433 and went back to MS-SQL - broken.


Okay, I read the dynamic update for 8656-7766, this was implemented on the firewall at 2am, and looking now, it has a 8hr delay before it installs. Standard.


The content update says they implemented a new application called citrix-director which depends on MS-SQL and was previously classified as MS-SQL. I saw one service trying to use it but the other did not so did not think too much of it.


I suspect something in this update broke traditional MS-SQL communication as we were getting the below error:

" SQL Error -1, Data access error. A transport-level error has occurred when receiving results from the server. (provider: Session Provider, error: 19 - Physical connection is not usable)".


As soon as I drop to Layer4, seems to have fixed it because it becomes application independant.


Anyone else have this same issue? Maybe someone from Palo Alto should investigate this! We dont use a Citrix product, our SQL servers are MS-SQL based.




L2 Linker

Yes, the "citrix-director" traffic is either used beyond the Citrix Director management/monitor website that Citrix Admins use.

It is showing up on all SQL STUDIO users to SQL servers (SQL Srvrs hosted on ESXi hosts--NOT hosted on Citrix).

It is constantly flowing between Citrix hosts.

It is flowing between SQL servers and Always On Listener nodes.


Most new applications are somewhat predictable, but this one went far beyond

  "Citrix Director is a monitoring and troubleshooting console for Citrix Virtual Apps and Desktops." 

It brought down all user access to our citrix apps.  DBAs couldn't use SQL Studio.  

L1 Bithead

Yeah, true they are unpredictable but saw on my other post on Reddit that many are complaining and having the same issue. You look at Citrix-director and you dont think twice about what it does. In our case, we dont use it in our environment. Why some SQL queries work and others done is beyond me.Hope its fixed soon though, will look out for another update from Palo Alto.

L1 Bithead

Good news

Content 8657-7768 released - "removed false positive"

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!