HTTPS traffic routed to another gateway statically does not connect but pings do

Adding a static route to a Zyxel USG 100 firewall that directs traffic bound for 172.18.0.0 via an internal gateway of 10.10.10.50 works perfectly if you run a ping or trace route.  When you try to connect with a Citrix Reciever however the server can not be found.  Adding a static route directly to the client pc and skipping the Zyxel fixes the issue but is a poor fix with lots of clients.

Setup
Zyxel USG 100 company internet firewall.
Internal IP 10.10.10.1

Cisco 1700 Series EMR Gateway
Internal IP 10.10.10.50

EMR final destination is 172.18.31.245

If I add a static route  to route 172.18.0.0 255.255.0.0 traffic to 10.10.10.50 to the Zyxel firewall it works testing with Pings and trace routes.  But when using the citrix reciever that uses Https as its protocol it never connects.  

I have looked and there is no firewall rules that should be interfering in the traffic flow.  I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
InvisibleTerrorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
i think there is a kind of proxy intercepting the traffic. Take a look to the proxy settings at the client.
Also transparent proxy is possible with the most firewalls.
try to connect with port 1494 to the citrix server ...
use "telnet yourserver.yourdomain 1494"
... you should see "ICAICA..." so the connection is possible and http(proxy) the problem.
0
Craig BeckCommented:
Are IP redirects enabled on the client and Zyxel box?
0
skullnobrainsCommented:
++ most likely a redirection occurs, which messes the https traffic

if the first connection fails and a subsequent connection works, this is the case

you can also check using "netstat -rn" or route

a tracert would be welcome as well
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

InvisibleTerrorAuthor Commented:
I found the issue.  The zzxel was seeing the traffic come back with one hop less because the other gateway router was addressing it directly to the client computer and was dropping the packet.  Enabling allow asynchronous route in the firewall fixed the issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skullnobrainsCommented:
it would probably be cleaner to prevent the zyxel from sending route redirections
0
InvisibleTerrorAuthor Commented:
Troubleshot and found the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.