Can't connect to Citrix Server on different subnet through VPN

[talenx]

OK, I have beating my head on this for too long now I’m really hoping somebody might shed some light on this issue. I have an existing Citrix farm setup with published applications and web access. Until recently users were able to VPN into our network an access the Citrix resources with no issues, then I implemented a new VLAN because we were running out of IP address. Users on the same subnet as the Citrix farm can access the Citrix resources as well as non-VPN users that access the Citrix farm via SSL web. Now that the new VLAN has been implemented and the VPN gives out 10.1.1.x IP address users are unable to access Citrix resource via web or meta frame client.
Originally I thought I may have been a routing issue (which it still could be but I don’t see it.) because once a user connects via VPN they receive a 10.1.1.x IP address and have access to all resources on the 131.107.2.x network via even Terminal services. Which leads me to believe it may be something else.
Here is a really odd thing; while connected the network via VPN and having an IP on the 10.1.1.x network If I create a local Citrix connection through the meta frame client I can see the published apps and servers but if I attempt to connect using the web it returns an error stating that the meta frame server doesn’t exists on the specified address. (Remember I CAN connect via web if I am not connected to the network via VPN.) But I do have to change the connect protocol to TCP/IP instead of HTTP + TCP/IP for that to work.

Current network layout:
Citrix farm:
CitrixWeb_server1 131.107.2.11
Citrix _server1 = 131.107.2.13
Citrix _server2 = 131.107.2.14
---
VPN switch 10.1.1.4
VPN user 10.1.1.x
I read somewhere that the client will automatically perform a broadcast for a master browser so I have setup one of out domain controllers has a mutli-homed server
DC1_server 131.107.2.12 and 10.1.1.12
I have created a static WINS and DNS entry for ICA pointing back to the first Citrix server (Citrix _server1 = 131.107.2.13) and added new access-list to the default gateway router to permit ALL UPD traffic.

Wow sorry for the long post but I hope I m just missing something simple.
Thanks
TalenX

 

[talenx]

Does anybody have any thoughts on this? Is it a router issue or Citrix. At least just point me in the right direction.
Thanks you
TalenX

 

[ascotta]

Lets see if we can illicit some other interest here.

All UPD, why ? firstly. You would need to allow 1494 too.

What port is your XML service running on ?

Can you create a custom ICA connection strainght to the server, not published app ?

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[talenx]

Ascotta,
Thanks for the quick reply, the only reason I had permitted ALL UPD traffic was I had read somewhere that might have something to do with the ICA traffic not being passed across the subnet. And I do currently have port 1494 open (the last UPD access-list was mainly for testing really).
As for the custom ICA connections, I don't see the need to recreate some logic that is already working fine on one subnet; it's just getting the data to pass across two subnets.
Thanks Talenx

 

[ascotta]

Only UPD 1604 then would be required.

Yes but the logic ain't working on the other subnet. Just lining things up to knock them down.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[byteya]

Still having the problem? Just to clarify, when connected through the VPN, can you ping the citrix servers?

What type of VPN? Our Cisco 3005 Concentrator was fussy with routes when I hooked our up. I had to make static entries in it for things to work right.

J

*J*

 

[talenx]

Sorry for the delay,
Ascotta,
To retort to your statement, the logic IS working on the 131.107.2.x network users on the SAME network or coming in from the internet work just fine. It seems to be when the ICA traffic is coming from the 10.1.1.x network is when issues are arising.
The reason I didn’t create custom ICA connections is because was told by Citrix support not to and to use the CMC application publisher to publish any apps that were needed.

byteya ,
Thank you for your post, yes I am still having the issue
Currently we have a Nortel Network VPN switch with a Cisco 3200 PIX and two 2600 Cisco routers


Cisco 2600 1 is the default gateway
Cisco 2600 2 is the Internet Router
Cisco 3200 1 is the PIX
Nortel Networks VPN Switch is the VPN source. Which give out the DHCP IP address

The odd thing is when I am on the VPN 10.1.1.x network I can do anything across the network, browse, ping, ect. But the ICA connections will not establish unless i specify the server that I want to connect to (as well as change the connection type to TCP/IP only)

Thanks
TalenX

 

[talenx]

Any new thoughts on this... I have ripped the VPN and VLAN apart and put it back together 3 times already with no avail.

Thanks
TalenX