Cisco WAN :: 1494 - Citrix Fails When Going Through GRE Tunnel
Apr 10, 2006
A group of Citrix Clients connect to a Citrix Metaframe Server. The port numbers involved are Citrix Metaframe (TCP/UDP 1494) and MS Terminal Server (TCP/UDP 1604).
The network is configured such that the communication between the Citrix clients and server goes through a GRE tunnel. Traceroutes from client to server, and vice versa, confirm that it passes thru the GRE tunnel. There's no ACL, firewalls or NAT devices along the IP path, in both directions.
The issue is, all Citrix clients can ping to the server but some fail to log on to the server; some have no problem. Also, other applications, e.g. PCAnywhere, can go through. If the GRE tunnel is taken away, all Citrix clients can log on to the Citrix server.
We run a hub&spoke network with dual GRE tunnels from each spoke site to seperate independant adsl routers at the hub.IPsec is enabled on each tunnel with crypto maps and then QOS is enabled with pre-classify for voice traffic priority. We also have defined a class for Citrix traffic by identifying port1494 traffic out and anything bound for our citrix servers IPs.Ok so the problem is that once the encryption comes up on the tunnels, the citrix programs wont connect. Take the crypto map off the tunnel and all works fine.
Here is the relevant config
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key **** address *.*.*.* crypto isakmp key **** address *.*.*.* crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to hub1 set peer *.*.*.* set transform-set ESP-3DES-SHA match address 104 qos pre-classifycrypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to hub2 set peer *.*.*.* set transform-set ESP-3DES-SHA match address 105 qos pre-classify
[code]....
I deliberately weight EIGRP to favour Tun0 and have Tun1 as a failover. I was thinking of Route-mapping the Citrix traffic to Tun1?
I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening. The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail. I did a limited search online to see if this was a known issue or something new. I also reviewed the release notes but did not see anything that matched the issue I received.
My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade. But if it failed on the upgraded test unit, it may fail on the production units.
I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
I have an AC 3.0 connection that works fine prior to CSD. Once I've enabled CSD I get CSD to load and then the AC tunnel fails. Ive attached the DART bundle and a few screen shots.
I'm using a RV082 with latest firmware v4.0.4.02tm in one of our branch offices. Sometimes the tunnel to the main office (IPCOP 1.4.21) fails. Both sides display the status "tunnel connected" but IP traffic doesn't go through. If i try to ping the main office using the RV082 diagnostic feature, the RV082 seems to run into a loop...the window continues refreshing without any error message and i'm not able to cancel the test. If I restart the RV082 using the web interface, the "diagnose" and VPN problem still exists, even if the web interface told me that the device did a restart.
The only solution is to to a cold restart of the RV082. After that, the VPN tunnel works again....
This problem occurred 3 times in the last 3 weeks. I never hat this problem with previous firmware versions at this ot other sites.
We have built IPSEC VPN over MPLS P2P circuit between Head & Branch office using Cisco ASA 5510. Client systems at Branch office connects to Citrix app at Head office, but it gets disconnect intermittently for all user. if any recommendations/changes required for Citrix App whn passing over IPSEC VPN/ ASA.
Ive serched everywhere for this problem and couldnt find it, ive tried the basic troubleshooting, one of are users is using the 32 bit client of citrix and it is not lauching, other users have no issues with it, only her computer does. When I click to lauch the desktop it thinks a bit and then the receiver will shoot me an error saying :
"The network connection to your application was interrupted. Try to access your application later, or contact technical support." Her computer is running Windows 7 64 bit, IE8. Im really not sure what could be causing this error
My colleague wants to use our load balancers for VPN. We are coming off 3030s which are serving remote access IPSec as well as terminating LAN to LAN tunnels for like 7 sites.I want to secure the 5540s behind our front end 5585Xs when we move prod to the new dc.We have no immediate need for clientless but need to support osx lion and IPSec client does not. Thats all that's driving this effort currently. I already reminded mgmt that the 3030 and the IPSec client are end of life.I just think anyconnect is the better solution based on current skillset and the popularity of the solution.
We're trying to access Citrix applications on customer`s server, but the error message attached pops up every time I try to access any application. Actually, this is the same error message when we try to use ssh protocol. I'm pretty sure I have loaded all the plugins for this. All the other functionalists are ok for this equipment.
My company has a cisco ASA 5510 and we have a Citrix remote desktop solution. In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ. There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443. A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.
In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443. We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.
I have a question around pix 501 (6.3) configuration. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
We're setting up a Citrix Cloudstack/XenServer environment and having a heck of a time getting VLAN communication to work with the Cisco SG300-28 switches we've got. We have 4 hosts that are running physically connected to 2 SG300-28 switches.The Guest Network NICS are running on XenServer with a VLAN configuration. As you'll see below our problem lies in that the vm on Host1 (10.1.1.254) cannot communicate to the vm on Host2 (10.1.1.5).Our SG300-28 is currently in L2 mode with Trunked ports for the NICS. It's allowed the VLAN 133 as tagged. Here's the guest networking:here's how our SG300-28 are configured for VLAN traffic GE1,2,13,14 are the connected ports with VLAN133 being one of the tagged VLANS
Currently using intel 5100 & 6200 client cards on multiple driver versions. WiSM is 7.0.116. APs are 1250 and 1260 series. Citrix is setup to send server-side keepalives for session reliability. Randomly, several times a day the client will get disconnected from the Citrix application session but maintain connectivity to the AP and other applications continue to work. Traces show the server-side keepalive reach the controller but are delayed from controller to client by 5-6 seconds. Just enough time for the Citrix server to timeout and tear down to session. Additional testing shows the delay most likely occurs somewhere from controller to AP. It occurs on multiple controllers on multiple campuses.
We have Dell/Broadcom clients that don't experience the problem. The only commonality seems to be the Intel cards. CCX? I know Intel has a special relationship with Cisco regarding CCX and have developed features not available on other cards. Tried disabling power save and other CCX features but hasn't solved the issue.
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable Local Group Setup Local Security Gateway Type : IP Only IP Address : RV042 Pulbic IP address
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
I have an issue with accessing a Cisco NCS (ver.1.3.0.20) form the GUI interface. It claim the password is wrong...From the CLI I have access.... Ah I can just change the passwords I thought. But no way.. dosent work!
I have double-checked credentialn and access rules on the module and they seem OK. I am trying to add the module with the Admin credentials and ssh/telnet access is permited.
Is this the right way or I'm missing something. Module version is A2(3.2a)
I have a not-so newly installed LMS4.2 Linux appliance. Here is my configuration archive summary:
Config Archival Status No. of Devices Successful 7 Failed 1338 Partially Successful0 Total1345 Configuration Never Collected 1338
[Code].....
Which seems to mean that SSH does not work, which is false as I manually connects to the device from the LMS host successfully. Network devices access is authenticated against ACS servers using TACACS+ so there should be no problem with credential discrepency here.
We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:
LastErrorMessage=CRL PKI verification failed Certificate Revocation list [URL]
We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.
Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?
How I can check which certificate ACS server is using for CRL validation?
I dont understadn how this works but basically I have enabled dhcp or so I thought bu clients dont get a lease. The vlan does but clients connecting to the switchports attached to the vlan do not get a lease and cant connect to anything. If I static the ip or use my server to issue dhcp then it's fine still some issues since I am cluceless but I dont understand what I have to do to get dhcp to work on the fa0-3 ports.
Router#sh running-config Building configuration... Current configuration : 1015 bytes !
I am using LMS version 3.2 and i am not able to generate EOS/EOL report with error no connection to Cisco.Saw an update i LMS portal as this:
Now Available! LMS 3.2:Patch for un-interrupted service of Cisco.com download for Device/Software/PSIRT/EOX updates (To be applied on or before 15-June-2011)
so upgraded the patch cwcs33x-win-CSCto46927-0.zip and restarted the demeon as read in the read me file for the patch.Now the job execution status is always shows running, its neither fail nor pass.
I have a 3845 that will not let me ping to the internet from my PC.On interface g0/0 I have a connection to a internet connection (another router), using DHCP to get it's address (it gives g0/0 IP 192.168.0.3).On interface g0/1, I have a connection to my LAN (I assign the interface IP 10.10.1.1).
I can ping the router. The router can ping the internet, do DNS resolution, etc.I have ensured routing is enabled. The only route I have configured is a default static route: 0.0.0.0 0.0.0.0 192.168.0.1.Oddly, if I choose 0.0.0.0 0.0.0.0 g0/0, I cannot ping sites on the internet from the router.
I tried setting up ip nat inside for my LAN and ip nat outside for the WAN/internet uplink, but this did not work.
This was the issue, I missed finishing the NAT setup.I can make the router ping out all day, and have my PCs ping the router, but getting the connection between the two is not working.
I try upgrade ACS 5.3.0.40 to new version 5.4.0.46. Everything looks ok:
ACS-machine/acsadmin# application upgrade ACS_5.4.0.46.tar.gz rep01 Do you want to save the current configuration ? (yes/no) [yes] ? Generating configuration. Saved the running configuration to startup successfully
% CARS Install application required post install reboot...
Broadcast message from root (pts/0) (Thu Dec 6 23:36:41 2012):
The system is going down for reboot NOW!
Application upgrade successful
But ACS machine (vmware instance) can't boot with this result: Volume group "smosvg" not found. (for details see attachment)
I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1 Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration... Saved the ADE-OS running configuration to startup successfully Initiating Application Upgrade... Stopping ISE application before upgrade... Running ISE Database upgrade... % Application upgrade failed. check logs for more details.
We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
I am trying to join my ACS 5.1 to my AD. In the External Identity Stores > Active Directory I have put in the AD administrator details and hit the test button and the test succeeds.
However, when I try to save changes it fails with an eror saying it can't connect to the LDAP server.
Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'Mydomain.local', zone 'null' failed.
I have done this lots of times and never had any issue once the test connection succeeds.
I've checked the time and timezones on both ACS and AD and they are the same.
Using CCP installed Easy VPN after setup completed ran the test and it failed see below; What commands can I enter to check this? New at VPN so I am sure I have something miss configured.
Router Details Attribute Value Router Model 851W Image Name c850-advsecurityk9-mz.124-4.T7.bin IOS Version 12.4(4)T7 Host name My Router Test Activity Summary: Activity Status Checking interface status... Failed
Test Activity Details Activity Status Checking interface status... Failed
Troubleshooting Results ; Failure Reason(s)Recommended Action(s)All the crypto applied interface(s) are down or no crypto applied interface is present Make the connection up and then proceed with VPN troubleshooting.
I'm trying the csv file import and getting some errors.
010-12-07 14:23:47: File Format Validation Completed2010-12-07 14:23:47: Import Started
2010-12-07 14:23:47: Record number: 1, Host 01-02-03-04-05-06: Import Failed2010-12-07 14:23:47: null Import process failed for unexpected reason: Unknown error has accurred.2010-12-07 14:23:47: Import Completed With errors
-------- Summary --------Total Number of Records Processed:1Number of Records Failed:1Number of Records Imported:1---------- End ----------Please refresh the table to see the changes.
On some other tries I get null field or missing fields.
It actually creates the host, but on editing it I get the following message:
An unexpected error has occurred. To continue your work, reselect the option in the left navigation bar.If you continue to receive the unexpected error message, close your browser and log in to ACS again.If you still receive the unexpected error message, contact your system administrator or technical assistance.
