VPN Issues

brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
Having issues with a site to site vpn tunnel. We added another remote site and the tunnel comes up with no issues, only thing is, only 1 user at a time at the remote site is able to access the web interface of the citrix server to access resources. I can't find anything in the acl's that would be causing an issue on our end, any 'general' areas to focus on? It's driving me crazy!!

Comments

  • EdificerEdificer Posts: 185Member
    Did you check the ASDM syslog output for any clues? What kind of error do you get when the second user tries to login?
    “Our greatest glory is not in never falling, but in rising every time we fall.” ― Confucius
  • GreaterNinjaGreaterNinja Posts: 271Member
    Maybe its the Citrix setup only allowing 1 connection from remote site X? Or maybe it is your ACLs.
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Heres the config on our end for access for the remote site, the remote site is controlled by the other companies IT:

    object-group network TEST_SOLUTIONS
    network-object host 192.168.102.10
    network-object host 192.168.102.14
    network-object host 192.168.102.15
    network-object host 192.168.102.19
    network-object host 192.168.102.21
    network-object host 192.168.102.22
    network-object host 192.168.102.27
    network-object host 192.168.102.51
    network-object host 192.168.102.48
    network-object host 192.168.102.87
    network-object host 192.168.102.12
    network-object host 192.168.102.71
    network-object host 192.168.102.246
    network-object host 192.168.102.129
    network-object host 192.168.102.201
    network-object host 192.168.102.53
    network-object host 192.168.102.84
    network-object host 192.168.102.120
    network-object host 192.168.102.136
    network-object host 192.168.102.132
    network-object host 192.168.102.113
    network-object host 192.168.102.200
    network-object host 192.168.102.60
    network-object host 192.168.102.137
    network-object host 192.168.102.28
    network-object host 192.168.102.106
    network-object host 192.168.102.11
    network-object host 192.168.102.165
    network-object host 192.168.102.174
    network-object host 192.168.102.179
    network-object host 192.168.102.180
    network-object host 192.168.102.252
    network-object host 192.168.102.30
    access-list outside_access_in extended permit tcp host 192.168.102.28 host x.x.x.x eq 1433
    access-list outside_access_in extended permit tcp host 192.168.102.106 host x.x.x.x eq 1433
    access-list outside_access_in extended permit ip object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128
    access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 eq citrix-ica
    access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 eq 2598
    access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS host x.x.x.x eq www
    access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS host x.x.x.x eq https
    access-list outside_access_in extended permit tcp object-group TEST_SOLUTIONS x.x.x.x 255.255.255.128 object-group CITRIX_PORTS
    access-list nonatvpn extended deny ip 10.1.100.0 255.255.255.0 object-group TEST_SOLUTIONS
    access-list TEST_SOLUTIONS_VPN extended permit ip x.x.x.x 255.255.255.128 object-group TEST_SOLUTIONS
    access-list TEST-1-WAREHOUSE-1875024 extended permit ip x.x.x.x 255.255.255.128 192.168.105.0 255.255.255.0

    crypto map outside_map 28 match address TEST_SOLUTIONS_VPN
    crypto map outside_map 28 set peer x.x.x.x
    crypto map outside_map 28 set transform-set ESP-3DES-SHA

    crypto map outside_map 101 match address TEST-1-WAREHOUSE-1875024
    crypto map outside_map 101 set peer x.x.x.x
    crypto map outside_map 101 set transform-set ESP-3DES-SHA
    crypto map outside_map 101 set security-association lifetime seconds 28800
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Citrix access is fine, there's nothing that would prevent the remote site from having multiple users access it. I can't find anything on our end as far as errros to point me in a direction to what may be the problem.
  • MowMow Posts: 445Member ■■■□□□□□□□
    Can multiple users ping the Citrix server? What is your NONAT ACL like?
  • ande0255ande0255 Posts: 1,178Banned
    Is this an IOS device? When you do 'show ver' does the output indicate how many licenses / connections are available without special licensing?
    Back in my day we used to route packets on 56k lines, through the snow, uphill both ways.

    https://loopedback.com
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Are you asking for the NONAT acl from the remote site?
  • MowMow Posts: 445Member ■■■□□□□□□□
    Yes, if you can get it...


    Also, your nonat here is a deny entry. I only use permits, never saw a deny before.
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Not sure if I can get that as we don't manage that endpoint. More info I just got is that the user's rdp to a server, remote site, that they then use to access our citrix environment.
  • MowMow Posts: 445Member ■■■□□□□□□□
    This may be the OS of the machine they connect to. I am not a systems guy, but some OSs will only allow one person at a time to log in. If someone else logs in, the first person gets bumped off.
  • GreaterNinjaGreaterNinja Posts: 271Member
    brewoz40 wrote: »
    Not sure if I can get that as we don't manage that endpoint. More info I just got is that the user's rdp to a server, remote site, that they then use to access our citrix environment.

    So they eu's rdp to a terminal server or a regular server/workstation then access the citrix virtualization?
    Sounds a little redundant to myself, but maybe I'm not understanding it.
    I would have the eu's connect directly to the citrix instead of rdp. Especially if the remote site now has a permanent secure tunnel up.

    Also we have had our managed service providers (AT&T) screw up some remote site mpls connections in the past. Another thing to troubleshoot would be to connect from your location to the rdp endpoint then try and access the citrix server / cluster/netscaler or whatever.
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Yea I agree its a little redundant to rdp and then connect, but out of my control. Could it be because all the sessions are being initiated by a single IP that it's being blocked by the acl?
  • d4nz1gd4nz1g Posts: 464Member
    ande0255 wrote: »
    Is this an IOS device? When you do 'show ver' does the output indicate how many licenses / connections are available without special licensing?


    Check this. I had similar issues using ASA 5505.
  • GreaterNinjaGreaterNinja Posts: 271Member
    You could talk to or route a ticket to desktop / HD / operations team and ask them to install or check if the Citrix ICA client loads fine on the remote sites' systems. Running the client directly is one possible solution and its pretty easy. On the other hand i'd defer to our senior network gurus for a solution on their end too.
Sign In or Register to comment.