Can not access Citrix Server using VPN

Are you using interface mode ? Sounds like a missing static route or firewall policy ...

If this is a client to site vpn travelling through the fortinet, i cannot see how the fortinet could be causing the issue. Check you have nat-traversal enabled on the cisco vpn client config. Else, the only other thing it could be would be your local IP subnet clashing with the remote vpn subnet, ie, you are using one of the following local subnets on your lan; 192.168.30.0/255.255.255.0 192.168.0.0/255.255.0.0 192.0.0.0/255.0.0.0 thus it would get routed via the local connection, as opposed to down the vpn.

Thank you MasterBratac and UKWizard, I think it is a missing policy or static route. Just another thing I have come across which might be helpful is: We have a VOIP ATA which is able to make calls out without any problem but when someone calls we cannot listen to the other side. And the other side person can also not hear me. I am using 192.168.1.0 subnet on our local network so not really a route problem. Thanks in advance guys! Regards, " V"

I am using 192.168.1.0 subnet on our local network so not really a route problem.

Do you definately use the 255.255.255.0 mask then? its worth checking, just in case. as their is no technical reason why you cannot use 192.168.1.x with a 255.255.0.0 mask....

Hi UKWizard, Thanks for the valuable information. Now I have some more info which might help: 1. The reason why I am not able to connect is " The packets are not crossing the firewall" Clients Address : 192.168.1.31/255.255.255.0 Default Gateway: 192.168.1.99 (fortigate Unit) Client connects to VPN Server 165.210.61.10 using Watchguard VPN client it is assigned an IP address : 192.168.30.31/255.255.255.0 Now client connects to Citrix Server using Citrix ICA Client to 192.168.30.17 and error message comes up saying there is NO server running on that IP Address. Checked the Fortigate Logs, there is no entry for the packets to be blocked. Please Help.

Further please find RoutePrint for Working and Non Working WORKING =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport 0xf0004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.123 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20 192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20 192.168.30.0 255.255.255.0 192.168.31.10 192.168.31.10 1 192.168.31.0 255.255.255.0 192.168.31.10 192.168.31.10 1 192.168.31.10 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.31.255 255.255.255.255 192.168.31.10 192.168.31.10 50 193.168.31.10 255.255.255.255 192.168.31.10 192.168.31.10 1 224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20 224.0.0.0 240.0.0.0 192.168.31.10 192.168.31.10 50 255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1 255.255.255.255 255.255.255.255 192.168.31.10 192.168.31.10 1 Default Gateway: 192.168.1.1 =========================================================================== Persistent Routes: None NOT WORKING =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport 0x110004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.123 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20 192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20 192.168.30.0 255.255.255.0 192.168.31.13 192.168.31.13 1 192.168.31.0 255.255.255.0 192.168.31.13 192.168.31.13 1 192.168.31.13 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.31.255 255.255.255.255 192.168.31.13 192.168.31.13 50 193.168.31.13 255.255.255.255 192.168.31.13 192.168.31.13 1 224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20 224.0.0.0 240.0.0.0 192.168.31.13 192.168.31.13 50 255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1 255.255.255.255 255.255.255.255 192.168.31.13 192.168.31.13 1 Default Gateway: 192.168.1.99 =========================================================================== Persistent Routes: None

Hi UkWizard, I have captured the TCP Packet which never reaches to the Fortigate60B and here it is: File Version : 10.200.2650.0 File Description : Citrix ICA Client Engine (Win32) (wfica32.exe) File Path : C:\Program Files\Citrix\ICA Client\wfica32.exe Process ID : 0xF34 (Heximal) 3892 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 192.168.31.13 Local Port : 2946 Remote Name : cs04.craigmostyn.com.au Remote Address : 192.168.30.18 Remote Port : 2598 (CITRIXIMACLIENT - Citrix MA Client) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 08-00-20-00-09-00 Source: 00-00-08-00-00-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don' t fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xba7c (Correct) Source: 192.168.31.13 Destination: 192.168.30.18 Transmission Control Protocol (TCP) Source port: 2946 Destination port: 2598 Sequence number: 618048899 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x619d (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 08 00 20 00 09 00 00 00 : 08 00 00 00 08 00 45 00 | .. ...........E. 0010: 00 30 BF 9D 40 00 80 06 : 7C BA C0 A8 1F 0D C0 A8 | .0..@...|....... 0020: 1E 12 0B 82 0A 26 24 D6 : AD 83 00 00 00 00 70 02 | .....&$.......p. 0030: 40 00 9D 61 00 00 02 04 : 05 00 01 01 04 02 0D BF | @..a............ 0040: 54 48 9E 7D 61 F8 44 78 : 92 C1 A2 0A | TH.}a.Dx....

I cannot see any reason this wouldnt work, except if the vpn client isnt encapsulating the traffic properly (the nat-traversal option) sorry, its a mystery. My last resort would be to check MTU settings, as perhaps fragmentation caused in the path to the remote end is splitting the framss and the remote VPN doesnt like it. On that packet trace, how do you know that it never reaches the fortinet? remember that it will be encapsulated, and thus you will only see traffic from that client IP to the remote firewall (VPN termination point). Cannot remember if its mentioned previously, but try a dedicated outbound rule for this client ip address and put it at the top of the rulebase. like; Source: CLient IP Service: Any Dest: All Nat: Enabled Protection Profile: None and see if it works then.