Jump to content
Welcome to our new Citrix community!

no traffic from machine tunnel with intranet IP

Recommended Posts


Customer configured alwayson vpn. When client laptop up, vpn connected in service mode and got intranetip but user can't log on to domain with error message domain is unreachable.

We did a packet trace on netscaler during client log on but never see any traffic from client ip,  i was expecting a dns traffic during log on but nothing from client ip. It looks like nothing is send to vpn gateway when client try to log. Split tunneling is OFF and i also set splitdns to REMOTE to ensure it will use gateway.

anyone ever experience the same? what could be an issue here?




Link to comment
Share on other sites

1) Is the intranet IP assigned a valid IP on the network the gateway backend connects to and otherwise routable?  And not in conflict with dns/dhcp.

Also, intranet ips only apply to vpn connection and not ica proxy or clientless.

I'm assuming regular vpn but the always on vpn service is a little different (if that is involved, additional considerations may apply).


2) On the gateway config, authorization rules still apply, you could be authenticated but denied authorization to destinations.

Does  a session policy or authorization policy apply to the user or vpn session and grant access to destination networks required during the vpn tunnel?

If split tunnel enabled, do you have proper networks to proxy to gateway defined (as intranet apps)


You can look for other gateway events and deny authorizations in syslog which may give you some details about what is going on:


cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED


And you can troubleshoot authentication failures via:


cd /tmp

cat aaad.debug


If no authentication events observed, aaad.debug only captures external authentication attempts so you may not have authentication policies for ldap/radius bound and instead relying on local or some other issue.



Link to comment
Share on other sites

hi Rhonda,

Thanks for your reply,

We start with simple always on vpn configuration, basically simple authentication policy and default allow authorization.

it worked for few times properly, new domain user can log on, reset password, then we restart client machine.

machine tunnel worked -- after client start up it will connect in service mode and getting intranet ip but same issue hit again.

client connected in service mode but new domain user can't logon with domain is not reachable messages.
it looks like machine tunnel connected but blocked by something causing dns and AD inaccessible, we can't see any traffic from client ip when doing packet trace in gateway.

when client in service mode, we can ping clinet ip from gateway but client can't do anything: ping, dns lookup, etc --- something is blocking traffic from gateway plugin.

we can verify this from packet trace at gateway or vpn active session with only 1 session from client ip.


we log on using AD cached user (it took long time), once logon we start user tunnel and logout completely.

Only after successful user mode we can log in to domain using new user.


what cause gateway plugin can't forward any traffic to gateway? is it local in client or due to AD policy or gateway configuration?

any pointer is appreciated.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...