Cisco Firewall :: ASA 5510 Citrix Session Reliability?
Sep 11, 2011
My company has a cisco ASA 5510 and we have a Citrix remote desktop solution. In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ. There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443. A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.
In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443. We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.
View 1 Replies
ADVERTISEMENT
Apr 5, 2011
How to terminate a vpn session on the asa 5510, when u issue the command sh vpn-sessiondb remote?
View 1 Replies
View Related
Jul 16, 2012
We have built IPSEC VPN over MPLS P2P circuit between Head & Branch office using Cisco ASA 5510. Client systems at Branch office connects to Citrix app at Head office, but it gets disconnect intermittently for all user. if any recommendations/changes required for Citrix App whn passing over IPSEC VPN/ ASA.
View 2 Replies
View Related
Jan 9, 2011
its possible use citrix receiver for java on asa 5505 on ssl web vpn?
View 1 Replies
View Related
Dec 12, 2011
I have a question around pix 501 (6.3) configuration. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
View 6 Replies
View Related
Oct 7, 2012
I am able to establish a single VPN session on an ASA 5510. The network is as follows:Cisco 2600 router----> ASA 5510---->non cisco UTM----> LAN.Once another session is connected (same profile different username) is connected the first one disconnected.
View 2 Replies
View Related
Sep 11, 2011
How can I check I have the right vpn time on a VPN client session on a asa 5510 , and how can I modify it to more time...
View 3 Replies
View Related
Mar 21, 2012
Is it possible for AnyConnect to utilise the backup server defined in the connection profile when the session limit is hit on an ASA? Essentially if I hit the 250 limit on my ASA 5510 in Region A, will it try the backup server ASA defined in the connection profile which is in Region B?
From what I have read, the backup server only kicks in when the AnyConnect client cannot connect, but in this scenario it will connect but get an error message.
View 1 Replies
View Related
Nov 15, 2011
I recently purchased a DIR-815 and am currently trying to use the 2.4 GHz Wireless mode so I can connect a remote WiFI product to it (approx 30 feet separation) to get access to the internet for sending email and to FTP data from the remote WiFi product over the internet. It is imperative that this connectivitiy be reliable and continuously accessible. The PC host and the WiFI product are unattended and require 24/7 use and conneciton reliability.
My problem is that for no apparent reason the connectivity to the DIR-815 by the PC host (wired to DIR-815 by ethernet) is not reliable....and even though the connection is obviously lost, my PC thinks it is still connected according to the Network status info shown in Windows. I then have to do a Network Repair on the PC to get the connection back. Whenever this is happening during the loss of connectivity by the PC to the DIR-815, the WiFi connection from my remote WiFi product is also lost which we cannot tolerate.
PC host is connected to DIR-815 via ethernet cable. DIR-815 is connected to a ViaSat Surf Beam Satellite modem (model SM2100) that is accessing Big Blue sattelite service as the ISP. I have the DIR-815 using 2.4 Ghz channel set to WEP2 TPIK-AES security. When connected everything works fine. We just need it to stay coonnected without having to be rebooted all the time.
Is there any way to resolve this problem and improve the connection reliability of the DIR-815?? I wish there were some way to send a WiFI command from our remote application to the DIR-815 to reboot it, which we could program into the remote product, but when wireless connectivity is lost, obviously that is not possible.
View 2 Replies
View Related
Jun 21, 2012
In 2008-2010 timeframe, I used the ace 4710 appliances at one customer and kind of liked them. The deployment was not too SSL intensive and B/W requirements were low, but I configured a few HA pairs and that worked well. The configuration was pretty comparable to other Cisco devices; so easy to learn/pick-up.Fast forward to 2011: stepped into an environment, where customer purchased 3 - ACE 20 modules (before I got here), and had multiple issues with them. I found 4 documented TAC cases, and 1 was still open. I started working from December 2011 on getting Cisco to own-up WRT modules but customer by that time had had enough.
The most serious issue was a random reboot, hang or lockup. I wasn’t here to work with them to verify, but that’s eventually what the deal breaker was. Around the February 2012 timeframe, talking to Cisco SE, he revealed Cisco had an independent lab in Switzerland verify that some hardware component on the device had a terminal defect, in which a bit would flip, and force the device to lock or reboot - subject ot radioactive decay or interference.Cisco and the lab attributed this to improper shielding, coupled with defective material in the electronic component; hence the device was highly susceptible to radiation-type errors. This is the kind of stuff you read in doomsday reports! As a result, Cisco was EOL-ing the ACE-20 module. I am trying to get Cisco to replace the ACE-20 modules with something else, but they haven’t been too cooperative. They have also limited their SE/Salseperson presence where I work (Pacific Northwest); and are not too responsive.
I have gotten a verbal agreement to get a credit on prior purchases for the amount this customer spent on the ACE-20 modules. However, the credit is only a few points off their normal discounting model. And Cisco will not go into loss on new product sales. Using example, $100 product would cost me $55 with standard Cisco discounting. Cisco’s cost might be $45 so I will only get another $10 credit on this new purchase.The 3 Cisco ACE-20’s originally cost customer about $100K, so to dwindle this credit down, we would need to purchase about $1-$2 million of new hardware - that's a lot of new gear! And I don’t have any real way of knowing that Cisco is applying the credit honestly, and they won’t put anything in writing. This entire issue has really dampened customer’s impression of Cisco. They had smartnet on the ACE-20’s for 2+ years, but then dumped that after losing faith in the product. Now I am trying to resurrect smartnet to see if Cisco will give us an alternate product.
And to cap it all off, the original Cisco salesperson (who sold customer the ACE’s), has left and went to work for F5! And yes, he has been calling on customer to try to sell some big-IP's! At least there is some humor in all of this. So... Has anyone else had bad experience with ACE-20 module? How about ACE 4710? How to get a reliable working ACE module from Cisco?
View 6 Replies
View Related
Apr 29, 2012
I am facing low relaiblity issue in one of the ethernet port even no link is connected to that port.
Router model : cisco 3660
IOS - c3660-ik8s-mz.122-24a.bin
Ethernet1/2 is up, line protocol is down
Hardware is AmdP2, address is 0007.85fb.c312 (bia 0007.85fb.c312)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
[Code]...
View 2 Replies
View Related
Nov 17, 2012
I have been looking at IP cams, like the Vivotek IP8332, or possibly the Axis m1113e
It could easily be -30F for several nights in any given winter. I am going to spend about $1,000 for two cams + cabling, etc. running into a PC to record video events.
EDIT: (The PC is not part of that $1,000). I know there are an abundance of outdoor enclosures with heat and fan, but I have never dealt with this stuff before. I also want to have night vision capability-- looking at seperate IR lamps. Meh.
View 6 Replies
View Related
Jun 4, 2012
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
View 2 Replies
View Related
May 1, 2012
Our users are using Xmanager to connect to a NNM connection which is going through a Cisco ASA5550 with 8.3. The session of Xmanager is getting terminated exactly after 1 hour and the users have to reconnect it again. How can we make the session to be up always, when I am bypassing the Firewall its always up.
View 2 Replies
View Related
Sep 18, 2012
How can i determine the current PPPoE session duration on ASA 5500 Systems? If i use the different CLI commands like "show vpdn session state / show vpdn session pppoe state" the output says:
State: SESSION_UP Last Chg: 593595 secs.
The ISP is forcing a reconnect every 86400 seconds, so the value can't be the actual duration of the pppoe session. Does it only indicate the link duration to the attached modem or interface state? Is the only way to detect interruptions of the pppoe session with debug and syslog?
View 0 Replies
View Related
Apr 15, 2013
My company has a DCS network that was previously segregated with a layer 3 switch and a handful of access lists. However, there came this big push to segregate all DCS networks with Firewalls, so I purchased a 5505 and duplicated my simple access lists on the firewall and everything worked. There is no NAT, just explicitly permitted traffic out and explicitly permitted traffic in. However, there are some applications that connect and work fine for a few hours, then disconnect and the user must exit out of the application and go back into it, then it starts working again. Previously with the Layer 3 Switch/access lists, this never happened. Since I put the firewall in place, it has happened 3 to 4 times a day every day for the last week.
View 4 Replies
View Related
Apr 15, 2012
We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2
[code]....
View 3 Replies
View Related
Jun 5, 2012
I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Built outbound TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 (65.204.x.x/52001)
Teardown TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.
View 2 Replies
View Related
Sep 20, 2012
Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
NAT and access rules are as follows:
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1
[code]....
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?
View 3 Replies
View Related
Jan 14, 2013
I have an ancient Alteon load balancer which only supports HTTP and telnet access. Our management people only allow HTTPS through the management firewall farm, and don't want to change this policy. So I need a low cost HTTPS to HTTP conversion, ideally on Cisco hardware like an ASA5505. It only needs one concurrent user. Is there a way to configure an ASA 5505 to terminate the inbound HTTPS seession and re-originate a HTTP management session to the Alteon? It looks to me as if the Clientless SSL VPN might do the job.Is there a way to do a SSH to telnet conversion on the ASA, or on a router?
View 1 Replies
View Related
Apr 10, 2006
A group of Citrix Clients connect to a Citrix Metaframe Server. The port numbers involved are Citrix Metaframe (TCP/UDP 1494) and MS Terminal Server (TCP/UDP 1604).
The network is configured such that the communication between the Citrix clients and server goes through a GRE tunnel. Traceroutes from client to server, and vice versa, confirm that it passes thru the GRE tunnel. There's no ACL, firewalls or NAT devices along the IP path, in both directions.
The issue is, all Citrix clients can ping to the server but some fail to log on to the server; some have no problem. Also, other applications, e.g. PCAnywhere, can go through. If the GRE tunnel is taken away, all Citrix clients can log on to the Citrix server.
View 3 Replies
View Related
Apr 24, 2012
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
View 2 Replies
View Related
Jul 7, 2012
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
View 1 Replies
View Related
Feb 10, 2012
Ive serched everywhere for this problem and couldnt find it, ive tried the basic troubleshooting, one of are users is using the 32 bit client of citrix and it is not lauching, other users have no issues with it, only her computer does. When I click to lauch the desktop it thinks a bit and then the receiver will shoot me an error saying :
"The network connection to your application was interrupted. Try to access your application later, or contact technical support." Her computer is running Windows 7 64 bit, IE8. Im really not sure what could be causing this error
View 12 Replies
View Related
Oct 17, 2012
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn.
Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completly lost. then we have to re-connect the session.
This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didnt have this issue, remote-desktops were never geting lost / reset with single timeout
View 1 Replies
View Related
Oct 30, 2011
My colleague wants to use our load balancers for VPN. We are coming off 3030s which are serving remote access IPSec as well as terminating LAN to LAN tunnels for like 7 sites.I want to secure the 5540s behind our front end 5585Xs when we move prod to the new dc.We have no immediate need for clientless but need to support osx lion and IPSec client does not. Thats all that's driving this effort currently. I already reminded mgmt that the 3030 and the IPSec client are end of life.I just think anyconnect is the better solution based on current skillset and the popularity of the solution.
View 2 Replies
View Related
Jun 5, 2011
We're trying to access Citrix applications on customer`s server, but the error message attached pops up every time I try to access any application. Actually, this is the same error message when we try to use ssh protocol. I'm pretty sure I have loaded all the plugins for this. All the other functionalists are ok for this equipment.
View 1 Replies
View Related
May 16, 2011
We run a hub&spoke network with dual GRE tunnels from each spoke site to seperate independant adsl routers at the hub.IPsec is enabled on each tunnel with crypto maps and then QOS is enabled with pre-classify for voice traffic priority. We also have defined a class for Citrix traffic by identifying port1494 traffic out and anything bound for our citrix servers IPs.Ok so the problem is that once the encryption comes up on the tunnels, the citrix programs wont connect. Take the crypto map off the tunnel and all works fine.
Here is the relevant config
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key **** address *.*.*.*
crypto isakmp key **** address *.*.*.*
crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to hub1
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 104 qos pre-classifycrypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to hub2
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 105 qos pre-classify
[code]....
I deliberately weight EIGRP to favour Tun0 and have Tun1 as a failover. I was thinking of Route-mapping the Citrix traffic to Tun1?
View 1 Replies
View Related
Sep 16, 2012
We're setting up a Citrix Cloudstack/XenServer environment and having a heck of a time getting VLAN communication to work with the Cisco SG300-28 switches we've got. We have 4 hosts that are running physically connected to 2 SG300-28 switches.The Guest Network NICS are running on XenServer with a VLAN configuration. As you'll see below our problem lies in that the vm on Host1 (10.1.1.254) cannot communicate to the vm on Host2 (10.1.1.5).Our SG300-28 is currently in L2 mode with Trunked ports for the NICS. It's allowed the VLAN 133 as tagged. Here's the guest networking:here's how our SG300-28 are configured for VLAN traffic GE1,2,13,14 are the connected ports with VLAN133 being one of the tagged VLANS
View 8 Replies
View Related
Apr 24, 2012
Currently using intel 5100 & 6200 client cards on multiple driver versions. WiSM is 7.0.116. APs are 1250 and 1260 series. Citrix is setup to send server-side keepalives for session reliability. Randomly, several times a day the client will get disconnected from the Citrix application session but maintain connectivity to the AP and other applications continue to work. Traces show the server-side keepalive reach the controller but are delayed from controller to client by 5-6 seconds. Just enough time for the Citrix server to timeout and tear down to session. Additional testing shows the delay most likely occurs somewhere from controller to AP. It occurs on multiple controllers on multiple campuses.
We have Dell/Broadcom clients that don't experience the problem. The only commonality seems to be the Intel cards. CCX? I know Intel has a special relationship with Cisco regarding CCX and have developed features not available on other cards. Tried disabling power save and other CCX features but hasn't solved the issue.
View 7 Replies
View Related
Feb 26, 2013
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
View 9 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Jun 22, 2011
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
View 6 Replies
View Related
