Link to home
Start Free TrialLog in
Avatar of rgmckenz
rgmckenz

asked on

Site-to-Site SonicWALL VPN with SSO won't allow traffic from Citrix servers to nodes on remote LANs, but others can ping same nodes

OK, I'm stumped on this one.  I've got a SonicWALL NSA2400 acting as a hub for two remote offices over a Site to Site VPN.  The VPN is configured correctly and nodes on both sides can ping or access nodes at all other sites.  It has been up and running in this configuration for a long time now with no apparent problems.  I should note that SSO is activated and communicating with an Active Directory connector on one of the security servers, plus SSO also communicates with two Citrix servers through Terminal Server agents.

So in the past two months, I've had some issues printing to network printers on the other side of the VPN from printers defined on the Citrix servers.  Further investigation found that I could not ping from either Citrix server to any nodes across the WAN through the VPN.  All other workstations and servers can ping those remote nodes and printers with no problem whatsoever.  It's just these two Citrix/terminal servers.

The only thing I could come up with is that the SSO terminal server agents on the Citrix servers are somehow blocking that traffic and preventing users from accessing resources at the remote sites.  I removed the agent on one of the servers and rebooted it, but still have the same issue.  I disabled SSO completely, but still had the same problem.  I've tried to capture traffic in the Packet Monitor and watch the log for dropped traffic, but I can't find anything definitively wrong.

Has anyone ever seen this type of behavior before?  I would understand it if all nodes on the host LAN could not pass traffic to nodes on the other side of the VPN tunnel.  However, it is just these two servers on the same subnet.  Any help anyone could give me as to how to solve this problem would be greatly appreciated!
Avatar of Carl Dula
Carl Dula
Flag of United States of America image

Can you post a network diagram?
Any nat rules for the Citrix  servers? Are they available over the Internet?
Avatar of rgmckenz
rgmckenz

ASKER

Carlmd - I'll be back with a network diagram as soon as possible.  I am now mired in a couple of emergencies that I must take care of ASAP, but I'll post it as soon as I have it.

Aaron - No specific NAT rules for the Citrix servers.  They are only available over our site-to-site VPN and SSL-VPN tunnels.  I'll double-check that to be sure, but the NAT policies haven't changed on the central router in many months.

I'll gather some more info for everyone and will post here as soon as I can.
I should also mention that all computers on the same host subnet (ex: 10.1.150.0/24)  - the ones that can communicate with remote notes and the ones that can't - all have exactly the same routing table, same general IP settings for default gateway, DNS, etc. and all reside on the same physical network (including servers on the same network switch).  The only thing that I can see different is the SonicWALL SSO terminal server agents running on the two Citrix servers.  Very frustrating.
OK, a quick update.  I may be onto something here.  Last night, I removed the SSO terminal server agent from the lesser of the two Citrix servers (uninstall), then disabled the configuration for that server on the SonicWALL NSA2400 in the User section.  After testing it for an hour, I was still having the problem on that server.

However, this morning when I test it, I can once again ping from that Citrix server to resources on remote LANs across the VPN tunnels.  I can ping everything, even the printing resources that I couldn't see before.  I'm going to remove the SSO terminal server agent from the primary Citrix server tonight and then disable it on the SonicWALL firewall.  I'll wait until late Saturday and see if it is now routing traffic properly again.  I'll post when I have the results.
Is your firmware version current? I've seen problems with sonicwall eating radius auth packets in older versions, maybe a similar issue with the Sso agents.
Actually, this is a 9.x early release (something I don't usually like to do, but we needed it for PCI compliance, among other things).  Heh, maybe the new release of the firmware is my issue, although I've had it around for several months.  That doesn't mean that I just wasn't aware of the routing issue.  Thanks for the advice!
ASKER CERTIFIED SOLUTION
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Aaron,

Thanks for your assistance.  I did upgrade to an NSA2600 to replace the aging NSA2400.  I configured the new box and put it into production, but I have not yet reactivated SSO and specific user tracking.  However, the communications issues have ceased to exist.  I can once again ping units on the remote subnets from our Citrix servers.  I did completely remove the SonicWALL TS clients from those servers and rebooted them again, so I'm not 100% sure if the new SonicWALL and firmware or the removal of the TS client resolved the problem, but I'm happy it's gone.  Thanks again!
Problem resolved for now.  Thanks for your assistance and patience!