Can not access Citrix Server using VPN

Report Inappropriate Content · ‎03-09-2008

I have a client who connects to another company using VPN (Cisco). After connecting she gets an IP address of their network (192.168.30.18) and now she wants to connect to a Citrix Server on IP 192.168.30.31 but she is not able to do that. We are using FortiGate 60B. MR5. She can connect using another gateway (other than Fortigate60B). Please help.

MasterBratac · ‎03-10-2008

Are you using interface mode ? Sounds like a missing static route or firewall policy ...

UkWizard · ‎03-10-2008

If this is a client to site vpn travelling through the fortinet, i cannot see how the fortinet could be causing the issue. Check you have nat-traversal enabled on the cisco vpn client config. Else, the only other thing it could be would be your local IP subnet clashing with the remote vpn subnet, ie, you are using one of the following local subnets on your lan; 192.168.30.0/255.255.255.0 192.168.0.0/255.255.0.0 192.0.0.0/255.0.0.0 thus it would get routed via the local connection, as opposed to down the vpn.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎03-10-2008

Thank you MasterBratac and UKWizard, I think it is a missing policy or static route. Just another thing I have come across which might be helpful is: We have a VOIP ATA which is able to make calls out without any problem but when someone calls we cannot listen to the other side. And the other side person can also not hear me. I am using 192.168.1.0 subnet on our local network so not really a route problem. Thanks in advance guys! Regards, " V"

UkWizard · ‎03-11-2008

I am using 192.168.1.0 subnet on our local network so not really a route problem.

Do you definately use the 255.255.255.0 mask then? its worth checking, just in case. as their is no technical reason why you cannot use 192.168.1.x with a 255.255.0.0 mask....

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎03-11-2008

Hi UKWizard, Thanks for the valuable information. Now I have some more info which might help: 1. The reason why I am not able to connect is " The packets are not crossing the firewall" Clients Address : 192.168.1.31/255.255.255.0 Default Gateway: 192.168.1.99 (fortigate Unit) Client connects to VPN Server 165.210.61.10 using Watchguard VPN client it is assigned an IP address : 192.168.30.31/255.255.255.0 Now client connects to Citrix Server using Citrix ICA Client to 192.168.30.17 and error message comes up saying there is NO server running on that IP Address. Checked the Fortigate Logs, there is no entry for the packets to be blocked. Please Help.

Report Inappropriate Content · ‎03-11-2008

Further please find RoutePrint for Working and Non Working WORKING =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport 0xf0004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.123 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20 192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20 192.168.30.0 255.255.255.0 192.168.31.10 192.168.31.10 1 192.168.31.0 255.255.255.0 192.168.31.10 192.168.31.10 1 192.168.31.10 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.31.255 255.255.255.255 192.168.31.10 192.168.31.10 50 193.168.31.10 255.255.255.255 192.168.31.10 192.168.31.10 1 224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20 224.0.0.0 240.0.0.0 192.168.31.10 192.168.31.10 50 255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1 255.255.255.255 255.255.255.255 192.168.31.10 192.168.31.10 1 Default Gateway: 192.168.1.1 =========================================================================== Persistent Routes: None NOT WORKING =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport 0x110004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.123 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20 192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20 192.168.30.0 255.255.255.0 192.168.31.13 192.168.31.13 1 192.168.31.0 255.255.255.0 192.168.31.13 192.168.31.13 1 192.168.31.13 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.31.255 255.255.255.255 192.168.31.13 192.168.31.13 50 193.168.31.13 255.255.255.255 192.168.31.13 192.168.31.13 1 224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20 224.0.0.0 240.0.0.0 192.168.31.13 192.168.31.13 50 255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1 255.255.255.255 255.255.255.255 192.168.31.13 192.168.31.13 1 Default Gateway: 192.168.1.99 =========================================================================== Persistent Routes: None

Report Inappropriate Content · ‎03-11-2008

Hi UkWizard, I have captured the TCP Packet which never reaches to the Fortigate60B and here it is: File Version : 10.200.2650.0 File Description : Citrix ICA Client Engine (Win32) (wfica32.exe) File Path : C:\Program Files\Citrix\ICA Client\wfica32.exe Process ID : 0xF34 (Heximal) 3892 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 192.168.31.13 Local Port : 2946 Remote Name : cs04.craigmostyn.com.au Remote Address : 192.168.30.18 Remote Port : 2598 (CITRIXIMACLIENT - Citrix MA Client) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 08-00-20-00-09-00 Source: 00-00-08-00-00-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don' t fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xba7c (Correct) Source: 192.168.31.13 Destination: 192.168.30.18 Transmission Control Protocol (TCP) Source port: 2946 Destination port: 2598 Sequence number: 618048899 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x619d (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 08 00 20 00 09 00 00 00 : 08 00 00 00 08 00 45 00 | .. ...........E. 0010: 00 30 BF 9D 40 00 80 06 : 7C BA C0 A8 1F 0D C0 A8 | .0..@...|....... 0020: 1E 12 0B 82 0A 26 24 D6 : AD 83 00 00 00 00 70 02 | .....&$.......p. 0030: 40 00 9D 61 00 00 02 04 : 05 00 01 01 04 02 0D BF | @..a............ 0040: 54 48 9E 7D 61 F8 44 78 : 92 C1 A2 0A | TH.}a.Dx....

UkWizard · ‎03-12-2008

I cannot see any reason this wouldnt work, except if the vpn client isnt encapsulating the traffic properly (the nat-traversal option) sorry, its a mystery. My last resort would be to check MTU settings, as perhaps fragmentation caused in the path to the remote end is splitting the framss and the remote VPN doesnt like it. On that packet trace, how do you know that it never reaches the fortinet? remember that it will be encapsulated, and thus you will only see traffic from that client IP to the remote firewall (VPN termination point). Cannot remember if its mentioned previously, but try a dedicated outbound rule for this client ip address and put it at the top of the rulebase. like; Source: CLient IP Service: Any Dest: All Nat: Enabled Protection Profile: None and see if it works then.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

rwpatterson · ‎03-12-2008

What service are you using? Built in or custom? If custom, make sure source port range is 1-65535, not 2598-2598!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Can not access Citrix Server using VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website