Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Can not access Citrix Server using VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎03-09-2008 06:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can not access Citrix Server using VPN
I have a client who connects to another company using VPN (Cisco). After connecting she gets an IP address of their network (192.168.30.18) and now she wants to connect to a Citrix Server on IP 192.168.30.31 but she is not able to do that. We are using FortiGate 60B. MR5.
She can connect using another gateway (other than Fortigate60B).
Please help.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using interface mode ? Sounds like a missing static route or firewall policy ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is a client to site vpn travelling through the fortinet, i cannot see how the fortinet could be causing the issue.
Check you have nat-traversal enabled on the cisco vpn client config.
Else, the only other thing it could be would be your local IP subnet clashing with the remote vpn subnet,
ie, you are using one of the following local subnets on your lan;
192.168.30.0/255.255.255.0
192.168.0.0/255.255.0.0
192.0.0.0/255.0.0.0
thus it would get routed via the local connection, as opposed to down the vpn.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on ‎03-10-2008 03:04 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you MasterBratac and UKWizard,
I think it is a missing policy or static route. Just another thing I have come across which might be helpful is:
We have a VOIP ATA which is able to make calls out without any problem but when someone calls we cannot listen to the other side. And the other side person can also not hear me.
I am using 192.168.1.0 subnet on our local network so not really a route problem.
Thanks in advance guys!
Regards,
" V"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using 192.168.1.0 subnet on our local network so not really a route problem.Do you definately use the 255.255.255.0 mask then? its worth checking, just in case. as their is no technical reason why you cannot use 192.168.1.x with a 255.255.0.0 mask....
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on ‎03-11-2008 05:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UKWizard,
Thanks for the valuable information. Now I have some more info which might help:
1. The reason why I am not able to connect is " The packets are not crossing the firewall"
Clients Address : 192.168.1.31/255.255.255.0 Default Gateway: 192.168.1.99 (fortigate Unit)
Client connects to VPN Server 165.210.61.10 using Watchguard VPN client it is assigned an IP address : 192.168.30.31/255.255.255.0
Now client connects to Citrix Server using Citrix ICA Client to 192.168.30.17 and error message comes up saying there is NO server running on that IP Address.
Checked the Fortigate Logs, there is no entry for the packets to be blocked.
Please Help.
Not applicable
Created on ‎03-11-2008 08:17 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further please find RoutePrint for Working and Non Working
WORKING
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0xf0004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.123 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20
192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20
192.168.30.0 255.255.255.0 192.168.31.10 192.168.31.10 1
192.168.31.0 255.255.255.0 192.168.31.10 192.168.31.10 1
192.168.31.10 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.31.255 255.255.255.255 192.168.31.10 192.168.31.10 50
193.168.31.10 255.255.255.255 192.168.31.10 192.168.31.10 1
224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20
224.0.0.0 240.0.0.0 192.168.31.10 192.168.31.10 50
255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1
255.255.255.255 255.255.255.255 192.168.31.10 192.168.31.10 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
NOT WORKING
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0x110004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.123 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20
192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20
192.168.30.0 255.255.255.0 192.168.31.13 192.168.31.13 1
192.168.31.0 255.255.255.0 192.168.31.13 192.168.31.13 1
192.168.31.13 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.31.255 255.255.255.255 192.168.31.13 192.168.31.13 50
193.168.31.13 255.255.255.255 192.168.31.13 192.168.31.13 1
224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20
224.0.0.0 240.0.0.0 192.168.31.13 192.168.31.13 50
255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1
255.255.255.255 255.255.255.255 192.168.31.13 192.168.31.13 1
Default Gateway: 192.168.1.99
===========================================================================
Persistent Routes:
None
Not applicable
Created on ‎03-11-2008 08:52 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UkWizard,
I have captured the TCP Packet which never reaches to the Fortigate60B and here it is:
File Version : 10.200.2650.0
File Description : Citrix ICA Client Engine (Win32) (wfica32.exe)
File Path : C:\Program Files\Citrix\ICA Client\wfica32.exe
Process ID : 0xF34 (Heximal) 3892 (Decimal)
Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.31.13
Local Port : 2946
Remote Name : cs04.craigmostyn.com.au
Remote Address : 192.168.30.18
Remote Port : 2598 (CITRIXIMACLIENT - Citrix MA Client)
Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 08-00-20-00-09-00
Source: 00-00-08-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don' t fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xba7c (Correct)
Source: 192.168.31.13
Destination: 192.168.30.18
Transmission Control Protocol (TCP)
Source port: 2946
Destination port: 2598
Sequence number: 618048899
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x619d (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 08 00 20 00 09 00 00 00 : 08 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 30 BF 9D 40 00 80 06 : 7C BA C0 A8 1F 0D C0 A8 | .0..@...|.......
0020: 1E 12 0B 82 0A 26 24 D6 : AD 83 00 00 00 00 70 02 | .....&$.......p.
0030: 40 00 9D 61 00 00 02 04 : 05 00 01 01 04 02 0D BF | @..a............
0040: 54 48 9E 7D 61 F8 44 78 : 92 C1 A2 0A | TH.}a.Dx....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot see any reason this wouldnt work, except if the vpn client isnt encapsulating the traffic properly (the nat-traversal option)
sorry, its a mystery.
My last resort would be to check MTU settings, as perhaps fragmentation caused in the path to the remote end is splitting the framss and the remote VPN doesnt like it.
On that packet trace, how do you know that it never reaches the fortinet? remember that it will be encapsulated, and thus you will only see traffic from that client IP to the remote firewall (VPN termination point).
Cannot remember if its mentioned previously, but try a dedicated outbound rule for this client ip address and put it at the top of the rulebase. like;
Source: CLient IP
Service: Any
Dest: All
Nat: Enabled
Protection Profile: None
and see if it works then.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What service are you using? Built in or custom? If custom, make sure source port range is 1-65535, not 2598-2598!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Labels
-
FortiGate
10,496 -
FortiClient
2,130 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
673 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
406 -
FortiMail
371 -
SSL-VPN
371 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
124 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
65 -
Certificate
62 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2538 | |
| 1351 | |
| 795 | |
| 642 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.