Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Can not access Citrix Server using VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-09-2008 06:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can not access Citrix Server using VPN
I have a client who connects to another company using VPN (Cisco). After connecting she gets an IP address of their network (192.168.30.18) and now she wants to connect to a Citrix Server on IP 192.168.30.31 but she is not able to do that. We are using FortiGate 60B. MR5.
She can connect using another gateway (other than Fortigate60B).
Please help.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using interface mode ? Sounds like a missing static route or firewall policy ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is a client to site vpn travelling through the fortinet, i cannot see how the fortinet could be causing the issue.
Check you have nat-traversal enabled on the cisco vpn client config.
Else, the only other thing it could be would be your local IP subnet clashing with the remote vpn subnet,
ie, you are using one of the following local subnets on your lan;
192.168.30.0/255.255.255.0
192.168.0.0/255.255.0.0
192.0.0.0/255.0.0.0
thus it would get routed via the local connection, as opposed to down the vpn.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 03-10-2008 03:04 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you MasterBratac and UKWizard,
I think it is a missing policy or static route. Just another thing I have come across which might be helpful is:
We have a VOIP ATA which is able to make calls out without any problem but when someone calls we cannot listen to the other side. And the other side person can also not hear me.
I am using 192.168.1.0 subnet on our local network so not really a route problem.
Thanks in advance guys!
Regards,
" V"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using 192.168.1.0 subnet on our local network so not really a route problem.Do you definately use the 255.255.255.0 mask then? its worth checking, just in case. as their is no technical reason why you cannot use 192.168.1.x with a 255.255.0.0 mask....
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 03-11-2008 05:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UKWizard,
Thanks for the valuable information. Now I have some more info which might help:
1. The reason why I am not able to connect is " The packets are not crossing the firewall"
Clients Address : 192.168.1.31/255.255.255.0 Default Gateway: 192.168.1.99 (fortigate Unit)
Client connects to VPN Server 165.210.61.10 using Watchguard VPN client it is assigned an IP address : 192.168.30.31/255.255.255.0
Now client connects to Citrix Server using Citrix ICA Client to 192.168.30.17 and error message comes up saying there is NO server running on that IP Address.
Checked the Fortigate Logs, there is no entry for the packets to be blocked.
Please Help.
Not applicable
Created on 03-11-2008 08:17 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further please find RoutePrint for Working and Non Working
WORKING
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0xf0004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.123 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20
192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20
192.168.30.0 255.255.255.0 192.168.31.10 192.168.31.10 1
192.168.31.0 255.255.255.0 192.168.31.10 192.168.31.10 1
192.168.31.10 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.31.255 255.255.255.255 192.168.31.10 192.168.31.10 50
193.168.31.10 255.255.255.255 192.168.31.10 192.168.31.10 1
224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20
224.0.0.0 240.0.0.0 192.168.31.10 192.168.31.10 50
255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1
255.255.255.255 255.255.255.255 192.168.31.10 192.168.31.10 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
NOT WORKING
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x80002 ...00 19 d1 74 e5 a6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0x110004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.123 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.123 192.168.1.123 20
192.168.1.123 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.123 192.168.1.123 20
192.168.30.0 255.255.255.0 192.168.31.13 192.168.31.13 1
192.168.31.0 255.255.255.0 192.168.31.13 192.168.31.13 1
192.168.31.13 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.31.255 255.255.255.255 192.168.31.13 192.168.31.13 50
193.168.31.13 255.255.255.255 192.168.31.13 192.168.31.13 1
224.0.0.0 240.0.0.0 192.168.1.123 192.168.1.123 20
224.0.0.0 240.0.0.0 192.168.31.13 192.168.31.13 50
255.255.255.255 255.255.255.255 192.168.1.123 192.168.1.123 1
255.255.255.255 255.255.255.255 192.168.31.13 192.168.31.13 1
Default Gateway: 192.168.1.99
===========================================================================
Persistent Routes:
None
Not applicable
Created on 03-11-2008 08:52 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UkWizard,
I have captured the TCP Packet which never reaches to the Fortigate60B and here it is:
File Version : 10.200.2650.0
File Description : Citrix ICA Client Engine (Win32) (wfica32.exe)
File Path : C:\Program Files\Citrix\ICA Client\wfica32.exe
Process ID : 0xF34 (Heximal) 3892 (Decimal)
Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.31.13
Local Port : 2946
Remote Name : cs04.craigmostyn.com.au
Remote Address : 192.168.30.18
Remote Port : 2598 (CITRIXIMACLIENT - Citrix MA Client)
Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 08-00-20-00-09-00
Source: 00-00-08-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don' t fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xba7c (Correct)
Source: 192.168.31.13
Destination: 192.168.30.18
Transmission Control Protocol (TCP)
Source port: 2946
Destination port: 2598
Sequence number: 618048899
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x619d (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 08 00 20 00 09 00 00 00 : 08 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 30 BF 9D 40 00 80 06 : 7C BA C0 A8 1F 0D C0 A8 | .0..@...|.......
0020: 1E 12 0B 82 0A 26 24 D6 : AD 83 00 00 00 00 70 02 | .....&$.......p.
0030: 40 00 9D 61 00 00 02 04 : 05 00 01 01 04 02 0D BF | @..a............
0040: 54 48 9E 7D 61 F8 44 78 : 92 C1 A2 0A | TH.}a.Dx....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot see any reason this wouldnt work, except if the vpn client isnt encapsulating the traffic properly (the nat-traversal option)
sorry, its a mystery.
My last resort would be to check MTU settings, as perhaps fragmentation caused in the path to the remote end is splitting the framss and the remote VPN doesnt like it.
On that packet trace, how do you know that it never reaches the fortinet? remember that it will be encapsulated, and thus you will only see traffic from that client IP to the remote firewall (VPN termination point).
Cannot remember if its mentioned previously, but try a dedicated outbound rule for this client ip address and put it at the top of the rulebase. like;
Source: CLient IP
Service: Any
Dest: All
Nat: Enabled
Protection Profile: None
and see if it works then.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What service are you using? Built in or custom? If custom, make sure source port range is 1-65535, not 2598-2598!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,845 -
FortiClient
1,793 -
5.2
801 -
FortiManager
751 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
485 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
30 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1749 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.