Jump to content
Welcome to our new Citrix community!

Cannot access intranet applications when connected to Full SSL VPN


Recommended Posts

Hi all,

 

I have configured a full ssl vpn with split tunnel on and I have added intranet applications which are hostname based and they resolved to private ip-addresses.

 

Once the connection is up, when accessing my intranet app using its url, I can see traffic in the Tunneled Application and after a minute I get err_timed_out on the browser.

 

I took a capture on ADC and I only see a TCP handshake between SNIP and the Host and nothing else. I cannot understand why there is no further traffic after the TCP handshake.

Kindly suggest what could cause such a behavior.

 

Below is the profile, policy and vServer  bindings:

 

add vpn sessionAction ssl_vpn_profile -dnsVserverName CTX-DNS -splitDns BOTH -sessTimeout 600 -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -clientIdleTimeout 600 -clientCleanupPrompt OFF -forceCleanup all -ssoCredential PRIMARY -useMIP NS -useIIP NOSPILLOVER -homePage "https://red.victory-arch.com/" -ClientChoices OFF -clientlessModeUrlEncoding OPAQUE -MacPluginUpgrade Never -LinuxPluginUpgrade Never -iconWithReceiver ON
add vpn sessionPolicy ss_vpn_policy TRUE ssl_vpn_profile
add vpn vserver ssl.victory-arch.com SSL 192.168.1.226 443 -authentication OFF -downStateFlush DISABLED -Listenpolicy NONE -devno 45645824
bind vpn vserver ssl.victory-arch.com -policy ss_vpn_policy -priority 100 -gotoPriorityExpression NEXT -type REQUEST -devno 587202560
bind vpn vserver ssl.victory-arch.com -intranetApplication blue.victory-arch.com -devno 654311424

add vpn url "Blue Site" "Blue Site" "https://blue.victory-arch.com/" -clientlessAccess ON

add vpn intranetApplication blue.victory-arch.com ANY blue.victory-arch.com -destPort 1-65535 -interception TRANSPARENT -devno 10903

add dns addRec blue.victory-arch.com 192.168.1.82 -TTL 600 -devno 11109

add ns ip 192.168.1.75 255.255.255.0 -vServer DISABLED

image.thumb.png.7763a0221e4746459c1cde9168902f84.png

 

image.thumb.png.8c436c8ccf3e2770f4bf9bf61f21d1d6.png

 

That's all I have on the captures

image.thumb.png.91b654b94d84d043b0d3bfc9b0c7622a.png

 

Kindly suggest

 

Thanks
Mohammed

Link to comment
Share on other sites

It's a bit hard to say.

I see, you got default authorization set to allow. That's not Citrix leading practice, you should set it to deny and allow using an authorization policy.

 

Some questions, to narrow down this issue:

  • does it work with split tunnelling turned off? (VPN is working fine, it has to do with your intranet applications)
  • does it work with split tunnelling set to reverse? (same as above?)
  • does it work, if you use the IP address instead of the host-name (it's a problem about name resolution)
  • how does client side traffic look like? Do you see SYN -> S/A -> ACK flow into the VPN? (might be an authorization problem on gateway-side

Gratings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

https://blog.norz.at

https://wonderkitchen.tech

  • Like 1
Link to comment
Share on other sites

Hi Johannes,

 

Thanks for the response.

 

This is a POC hence I am keeping things easier as much as I can but thanks for the alert.

 

  • Does it work with split tunnelling turned off? (VPN is working fine, it has to do with your intranet applications)

Its the same with -splitTunnel OFF

  • Does it work with split tunnelling set to reverse? (same as above?)

Its the same with -splitTunnel REVERSE

  • Does it work, if you use the IP address instead of the host-name (it's a problem about name resolution)

It doesn't work using IP too

image.thumb.png.ef588734c8bb4bc11819a2384382f0ac.png

  • How does client side traffic look like? Do you see SYN -> S/A -> ACK flow into the VPN? (might be an authorization problem on gateway-side)

image.thumb.png.99e737160be71be611e65aef12e99914.png

 

On the Gateway Session Profile, Authorization is set to ALLOW

 

Kindly suggest.

 

Thanks

Mohammed

Link to comment
Share on other sites

  • 1 month later...

Hello Johannes,

 

I was able to find the root cause of the issue. The problem is on KEMP VLM which is in place doing content switching since there is only single public IP.

image.thumb.png.5e7c146ba966f27b718c5b29cbb42698.png

When I do the NAT directly to the Gateway vServer VIP, the traffic passes but through KEMP VLM, it doesn't. I tried few settings on KEMP VLM but that didn't help. So I am planning to eliminate KEMP VLM and use ADC CS vServer instead.

 

Thank you for your suggestions earlier.

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...