jfexchange
asked on
Citrix XP server cannot access internet
I have a Citrix XP SP4 running on a Windows 2000 SP4 server; I recently added a content filter device to the network sitting directly off the inside interface of a firewall. Now all devices on the network get out to internet through the filter device except for the Citrix server. The firewall can ping the Citrix server but the Citrix server can't ping the firewall. Remote users can get to the Citrix server, but the Citrix server can't get on the Internet or ping external hosts. Are there any network settings from within Citrix that might need to be recdirected for this type of topology change?
Is the Default Gateway correct?
ASKER
Yes. the inside interfrace of the firewall is is 192.168.1.1. For all other machines this has remained the gateway. The contenet filter device that sits in front is 192.168.1.5, I tried making this the gateway for the Citrix server but it still will not access the internet.
From the Citrix server, do a tracert to an external web site and post the results.
ASKER
Z:\>tracert yahoo.com
Tracing route to yahoo.com [66.94.234.13]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
Tracing route to yahoo.com [66.94.234.13]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
From that I can tell the DNS Name Resolution is working but not much else is working. The first hop should be to the Default Gateway. Here is mine (my DG IP is the same as yours):
C:\Documents and Settings\cwebster>tracert yahoo.com
Tracing route to yahoo.com [66.94.234.13]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 192.168.1.1
2 52 ms 52 ms 51 ms adsl-70-232-95-254.dsl.ltr kar.sbcglo bal.net [70.
232.95.254]
3 49 ms 49 ms 49 ms dist1-vlan50.ltrkar.sbcglo bal.net [151.164.64.13
0]
4 50 ms 49 ms 51 ms bb1-g6-3-0.ltrkar.sbcgloba l.net [151.164.64.246]
5 61 ms 61 ms 62 ms ex1-p2-0.eqdltx.sbcglobal. net [151.164.40.33]
6 63 ms 63 ms 61 ms asn10310-10-yahoo.eqdltx.s bcglobal.n et [151.164.
250.10]
7 111 ms 110 ms 110 ms so-1-0-0.pat2.pao.yahoo.co m [216.115.101.134]
8 109 ms 110 ms 110 ms ge-3-0-0-p251.msr2.scd.yah oo.com [216.115.106.18
3]
9 192 ms 109 ms 111 ms ten-1-3-bas1.scd.yahoo.com [66.218.82.217]
10 111 ms 109 ms 110 ms w2.rc.vip.scd.yahoo.com [66.94.234.13]
Trace complete.
You have a problem even reaching your DG. Until you resolve that issue there isn't much else I can do for you. Do you have any FW software running on the Citrix server? Try disabling all FW software, if any, on the Citrix server and try again.
C:\Documents and Settings\cwebster>tracert yahoo.com
Tracing route to yahoo.com [66.94.234.13]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 192.168.1.1
2 52 ms 52 ms 51 ms adsl-70-232-95-254.dsl.ltr
232.95.254]
3 49 ms 49 ms 49 ms dist1-vlan50.ltrkar.sbcglo
0]
4 50 ms 49 ms 51 ms bb1-g6-3-0.ltrkar.sbcgloba
5 61 ms 61 ms 62 ms ex1-p2-0.eqdltx.sbcglobal.
6 63 ms 63 ms 61 ms asn10310-10-yahoo.eqdltx.s
250.10]
7 111 ms 110 ms 110 ms so-1-0-0.pat2.pao.yahoo.co
8 109 ms 110 ms 110 ms ge-3-0-0-p251.msr2.scd.yah
3]
9 192 ms 109 ms 111 ms ten-1-3-bas1.scd.yahoo.com
10 111 ms 109 ms 110 ms w2.rc.vip.scd.yahoo.com [66.94.234.13]
Trace complete.
You have a problem even reaching your DG. Until you resolve that issue there isn't much else I can do for you. Do you have any FW software running on the Citrix server? Try disabling all FW software, if any, on the Citrix server and try again.
which content filter are you using? Are you enforcing a proxy redirection in your internet explorer for your IE? from what I understand you cannot ping your gateway at .1 and you cannot ping your content filter at .5? Is this correct? Is the content filter working for your workstations? Are you sure you positioned the content filter properly?
What IP address is the citrix server sitting at? are they on a different subnet?
What is the IP address and subnet mask of the Citrix server?
What is the subnet mask of the filter?
What is the subnet mask of the FW?
What is the subnet mask of the filter?
What is the subnet mask of the FW?
ASKER
This is a SonicWall contenet filter that was added to the network, it seems to be working fine for all other network devices except for the Citrix server. The subnet mask for all devices is /24. The firewall is 192.168.1.1, content fiter is .5, the Citrix server .15. All devices can ping the Citrix server, the Citrix server can ping the content filter but not the firewall. I actually set up a packet capture on the firewall and it looks like the ping requests are getting there, but from the Citrix server it says they time out, so the responses are not getting back. I am not that familiar with Citrix, but was hoping that maybe there was a network or gateway setting somewhere in the metaframe that I could reconfigure? Thanks,
it sounds like something got messed up in your firewall settings. Ping your firewall, then check the logs. What kind of firewall are you running? It seems like ICMP and some other services got blocked.
ASKER
It's a Pix firewall, there are not restrictions in the firewall for any of the traffic. I actually see the firewall respond with echo replys in the packet captures, but the Citrix server never get them. I am thinking this is a problem with the Sonicwall device then, since all traffic passes through it to get to the firewall
well first, its important to note that this most probably is not a citrix related issue at all. Just to clarify, You set the gateway of all your systems to .5 so all traffic traverses the sonicwall CF is this correct? If you change the citrix server's gateway back to .1 can you get out to the internet and ping the gateway? Im really leaning toward something in the sonicwall not configured properly. It is not passing the echo back from the firewall to the citrix server. Something is misconfigured on the sonicwall.
ASKER
It turns out the Content filter does not support dual nic cards, which the Citrix server is running. I disable one and it starting to work. Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.