Solved

Problems Connecting to Citrix Access Gateway from Internal VLAN

Posted on 2014-04-29
8
585 Views
Last Modified: 2014-07-10
We have a Citrix Access Gateway that can be reached from all the VLAN's within our internal network except for one. The VLAN in question can ping any other host in the CAG's VLAN, however it can't ping the CAG itself.

We have a core switch, which is an HP 5412, that handles all of our VLAN's and as far as I can tell from the config there shouldn't be anything preventing the traffic from getting through. I suspect that the issue may be caused by a setting on the CAG itself, however I'm not familiar enough with the appliance to know where to look. The CAG software version is 5.0.4.

Any ideas or suggestions would be greatly appreciated!
0
Comment
Question by:Scott Fowler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 21

Expert Comment

by:robocat
ID: 40031707
Is the device connected to the network by more than one network port (e.g. one port for the internal LAN and one for the DMZ)?
0
 

Author Comment

by:Scott Fowler
ID: 40032281
Yes, that's correct. One NIC is connected to the internal network on our Default VLAN and the other NIC is connected to the DMZ.
0
 
LVL 21

Expert Comment

by:robocat
ID: 40032618
The problem is likely to be routing related. You need to add the IP subnet (from the VLAN) to the routing table and make sure it's routed through the internal NIC.

Look for the network -> routing settings in the management interface, you'll probably see how it's done for your other subnets. Add an entry for the subnet with gateway to the internal net.
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 

Author Comment

by:Scott Fowler
ID: 40033070
Thanks for the help robocat...

I was able to find the routing section on the CAG that you referred to. Contained therein are static routes to all of our internal VLAN's, including the VLAN that can't connect to the CAG. Just in case it was entered incorrectly , I went ahead and deleted and re-added. Unfortunately, still no joy.

In doing some further testing I found another VLAN that won't talk to the CAG. This particular VLAN we use exclusively for printers and copiers, so there would never be a need for a device on this network to connect to the Citrix Gateway. Still, it's also in the static routes section on the CAG, so it seems like it should be able to connect as well.
0
 
LVL 21

Expert Comment

by:robocat
ID: 40035508
Try using traceroute to see how far you get from the source device to the CAG. It might give you a clue where the problem is situated in your network. Compare that to a traceroute from a working subnet.
0
 

Author Comment

by:Scott Fowler
ID: 40035805
There's only one hop between the problem VLAN and the CAG VLAN. So a tracert  hits the default gateway and gets a response, but then gets a request timed out when trying to talk to the CAG.

By digging some more into the static routes I think I may have found the problem...

Even though we've added static routes for all our VLANs to the Web GUI of the CAG, if you console into the CLI, there are two routes that don't show. The two routes that don't show are the two VLANs we can't access the CAG from. Unfortunately, as far as I can tell, there's no way to add static routes through the CLI. Looks like this problem may be a bug in this particular version of the software.
0
 
LVL 21

Accepted Solution

by:
robocat earned 500 total points
ID: 40036572
Perhaps a reboot could cause the device to re-read the entire routing table?

Something you could also try: delete and add the route again. Immediately after, check the CAG log files for any errors.
0
 

Author Closing Comment

by:Scott Fowler
ID: 40188283
It turns out that it was an issue with the device itself. We've since replaced the CAG with a Netscaler VM and everything is working as expected. Thanks for the help robocat!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question