HTTPS traffic routed to another gateway statically does not connect but pings do

Posted on 2014-07-10
Medium Priority
Last Modified: 2014-07-17
Adding a static route to a Zyxel USG 100 firewall that directs traffic bound for via an internal gateway of works perfectly if you run a ping or trace route.  When you try to connect with a Citrix Reciever however the server can not be found.  Adding a static route directly to the client pc and skipping the Zyxel fixes the issue but is a poor fix with lots of clients.

Zyxel USG 100 company internet firewall.
Internal IP

Cisco 1700 Series EMR Gateway
Internal IP

EMR final destination is

If I add a static route  to route traffic to to the Zyxel firewall it works testing with Pings and trace routes.  But when using the citrix reciever that uses Https as its protocol it never connects.  

I have looked and there is no firewall rules that should be interfering in the traffic flow.  I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
Question by:InvisibleTerror
LVL 24

Expert Comment

by:Dirk Kotte
ID: 40191334
i think there is a kind of proxy intercepting the traffic. Take a look to the proxy settings at the client.
Also transparent proxy is possible with the most firewalls.
try to connect with port 1494 to the citrix server ...
use "telnet yourserver.yourdomain 1494"
... you should see "ICAICA..." so the connection is possible and http(proxy) the problem.
LVL 47

Expert Comment

by:Craig Beck
ID: 40192180
Are IP redirects enabled on the client and Zyxel box?
LVL 27

Expert Comment

ID: 40192516
++ most likely a redirection occurs, which messes the https traffic

if the first connection fails and a subsequent connection works, this is the case

you can also check using "netstat -rn" or route

a tracert would be welcome as well
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!


Accepted Solution

InvisibleTerror earned 0 total points
ID: 40192651
I found the issue.  The zzxel was seeing the traffic come back with one hop less because the other gateway router was addressing it directly to the client computer and was dropping the packet.  Enabling allow asynchronous route in the firewall fixed the issue.
LVL 27

Expert Comment

ID: 40192958
it would probably be cleaner to prevent the zyxel from sending route redirections

Author Closing Comment

ID: 40201506
Troubleshot and found the problem.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question