HTTPS traffic routed to another gateway statically does not connect but pings do

Posted on 2014-07-10
Last Modified: 2014-07-17
Adding a static route to a Zyxel USG 100 firewall that directs traffic bound for via an internal gateway of works perfectly if you run a ping or trace route.  When you try to connect with a Citrix Reciever however the server can not be found.  Adding a static route directly to the client pc and skipping the Zyxel fixes the issue but is a poor fix with lots of clients.

Zyxel USG 100 company internet firewall.
Internal IP

Cisco 1700 Series EMR Gateway
Internal IP

EMR final destination is

If I add a static route  to route traffic to to the Zyxel firewall it works testing with Pings and trace routes.  But when using the citrix reciever that uses Https as its protocol it never connects.  

I have looked and there is no firewall rules that should be interfering in the traffic flow.  I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
Question by:InvisibleTerror
    LVL 22

    Expert Comment

    by:Dirk Kotte
    i think there is a kind of proxy intercepting the traffic. Take a look to the proxy settings at the client.
    Also transparent proxy is possible with the most firewalls.
    try to connect with port 1494 to the citrix server ...
    use "telnet yourserver.yourdomain 1494"
    ... you should see "ICAICA..." so the connection is possible and http(proxy) the problem.
    LVL 44

    Expert Comment

    by:Craig Beck
    Are IP redirects enabled on the client and Zyxel box?
    LVL 25

    Expert Comment

    ++ most likely a redirection occurs, which messes the https traffic

    if the first connection fails and a subsequent connection works, this is the case

    you can also check using "netstat -rn" or route

    a tracert would be welcome as well

    Accepted Solution

    I found the issue.  The zzxel was seeing the traffic come back with one hop less because the other gateway router was addressing it directly to the client computer and was dropping the packet.  Enabling allow asynchronous route in the firewall fixed the issue.
    LVL 25

    Expert Comment

    it would probably be cleaner to prevent the zyxel from sending route redirections

    Author Closing Comment

    Troubleshot and found the problem.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    #Citrix #POC #XenDesktop #vCenter #VMware #ESX
    Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now