VPN Issues

Having issues with a site to site vpn tunnel. We added another remote site and the tunnel comes up with no issues, only thing is, only 1 user at a time at the remote site is able to access the web interface of the citrix server to access resources. I can't find anything in the acl's that would be causing an issue on our end, any 'general' areas to focus on? It's driving me crazy!!

Find more posts tagged with

Comments

Edificer

Did you check the ASDM syslog output for any clues? What kind of error do you get when the second user tries to login?

GreaterNinja

Maybe its the Citrix setup only allowing 1 connection from remote site X? Or maybe it is your ACLs.

brewoz40

Heres the config on our end for access for the remote site, the remote site is controlled by the other companies IT:

object-group network TEST_SOLUTIONS
network-object host 192.168.102.10
network-object host 192.168.102.14
network-object host 192.168.102.15
network-object host 192.168.102.19
network-object host 192.168.102.21
network-object host 192.168.102.22
network-object host 192.168.102.27
network-object host 192.168.102.51
network-object host 192.168.102.48
network-object host 192.168.102.87
network-object host 192.168.102.12
network-object host 192.168.102.71
network-object host 192.168.102.246
network-object host 192.168.102.129
network-object host 192.168.102.201
network-object host 192.168.102.53
network-object host 192.168.102.84
network-object host 192.168.102.120
network-object host 192.168.102.136
network-object host 192.168.102.132
network-object host 192.168.102.113
network-object host 192.168.102.200
network-object host 192.168.102.60
network-object host 192.168.102.137
network-object host 192.168.102.28
network-object host 192.168.102.106
network-object host 192.168.102.11
network-object host 192.168.102.165
network-object host 192.168.102.174
network-object host 192.168.102.179
network-object host 192.168.102.180
network-object host 192.168.102.252
network-object host 192.168.102.30
access-list outside_access_in extended permit tcp host 192.168.102.28 host x.x.x.x eq 1433
access-list outside_access_in extended permit tcp host 192.168.102.106 host x.x.x.x eq 1433
access-list outside_access_in extended permit ip object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128
access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 eq citrix-ica
access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 eq 2598
access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS host x.x.x.x eq www
access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS host x.x.x.x eq https
access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 object-group CITRIX_PORTS
access-list nonatvpn extended deny ip 10.1.100.0 255.255.255.0 object-group TEST_SOLUTIONS
access-list TEST_SOLUTIONS_VPN extended permit ip x.x.x.x 255.255.255.128 object-group TEST_SOLUTIONS
access-list TEST-1-WAREHOUSE-1875024 extended permit ip x.x.x.x 255.255.255.128 192.168.105.0 255.255.255.0

crypto map outside_map 28 match address TEST_SOLUTIONS_VPN
crypto map outside_map 28 set peer x.x.x.x
crypto map outside_map 28 set transform-set ESP-3DES-SHA

crypto map outside_map 101 match address TEST-1-WAREHOUSE-1875024
crypto map outside_map 101 set peer x.x.x.x
crypto map outside_map 101 set transform-set ESP-3DES-SHA
crypto map outside_map 101 set security-association lifetime seconds 28800

brewoz40

Citrix access is fine, there's nothing that would prevent the remote site from having multiple users access it. I can't find anything on our end as far as errros to point me in a direction to what may be the problem.

Mow

Can multiple users ping the Citrix server? What is your NONAT ACL like?

ande0255

Is this an IOS device? When you do 'show ver' does the output indicate how many licenses / connections are available without special licensing?

brewoz40

Are you asking for the NONAT acl from the remote site?

Mow

Yes, if you can get it...

Also, your nonat here is a deny entry. I only use permits, never saw a deny before.

brewoz40

Not sure if I can get that as we don't manage that endpoint. More info I just got is that the user's rdp to a server, remote site, that they then use to access our citrix environment.

Mow

This may be the OS of the machine they connect to. I am not a systems guy, but some OSs will only allow one person at a time to log in. If someone else logs in, the first person gets bumped off.

GreaterNinja

brewoz40 wrote: »

Not sure if I can get that as we don't manage that endpoint. More info I just got is that the user's rdp to a server, remote site, that they then use to access our citrix environment.

So they eu's rdp to a terminal server or a regular server/workstation then access the citrix virtualization?
Sounds a little redundant to myself, but maybe I'm not understanding it.
I would have the eu's connect directly to the citrix instead of rdp. Especially if the remote site now has a permanent secure tunnel up.

Also we have had our managed service providers (AT&T) screw up some remote site mpls connections in the past. Another thing to troubleshoot would be to connect from your location to the rdp endpoint then try and access the citrix server / cluster/netscaler or whatever.

brewoz40

Yea I agree its a little redundant to rdp and then connect, but out of my control. Could it be because all the sessions are being initiated by a single IP that it's being blocked by the acl?

d4nz1g

ande0255 wrote: »

Is this an IOS device? When you do 'show ver' does the output indicate how many licenses / connections are available without special licensing?

Check this. I had similar issues using ASA 5505.

GreaterNinja

You could talk to or route a ticket to desktop / HD / operations team and ask them to install or check if the Citrix ICA client loads fine on the remote sites' systems. Running the client directly is one possible solution and its pretty easy. On the other hand i'd defer to our senior network gurus for a solution on their end too.