Cisco VPN client -- best practices..

[blakey2]

Hi,

We have a citrix server which runs the cisco vpn client.

Multiple applications access the cisco client.

Sometimes initiating a connection will cause cpu usage to jump to 100% (Through the roof) and stop responding, disconnecting users and requiring a reboot.

Are there any documents listing best practices for installing this cisco client in a TS/Citrix environment??

Any help/suggestions appreciated!!

Thanks!

 

[Dublin73]

Hi,

just to confirm.. you have a Citrix server which your clients log into as Citrix clients.. and on this Citrix server, you have the Cisco VPN client software installed?

I don't think it's possible for that to work.

This is an overview of what happens when the Cisco VPN client is launched (the short version)..

The client connects by going out over the internet to the public ip address of the Cisco PIX (or router etc.). Once the relevant handshaking goes on etc. the PIX distributes (through its own little DHCP pool), an ip address to the VPN client. Now, the PC which has the VPN client software on it gets a "virtual" network card, with an ip address and subnet mask etc. that was received from the PIX firewall

I'm pretty sure at this stage, that the original NIC settings on the client are now inaccessible (or temporarily disabled), because the client (in this case your Citrix server) is now on a different secure network.

This would explain why your users immediately get disconnected... they're trying to connect to a Citrix server who's ip address has just been changed

 

[blakey2]

Hi Dublin73,

 just to confirm..  you have a Citrix server which your clients log into as Citrix clients..  and on this Citrix server, you have the Cisco VPN client software installed?

Yes this is how it is setup.

Apparently Cisco won't support the VPN client install on a W2k3 box...

------------------------------------------------------------
VPN Client Is Not Supported on Windows NT Servers
The VPN Client is not supported on any Windows NT server version (including Windows 2000 and Windows XP/.NET/2003 servers). Only Windows 2000 Workstation is a supported platform.

http://www.cisco.com/en/US/docs/sec...ient/vpn_client48/release/notes/48client.html

------------------------------------------------------------

The behaviour you have described is not how it works (in my experience). The software works fine 80% of the time, different people can connect (not simultaneously), however sometimes it makes CPU usage skyrocket and the server stop responding.. nothing actually crashes per se..

Nothing in the server logs, vpn client logs etc..

Any thoughts..?

Cheers.

 

[Dublin73]

I'm not a Cisco PIX expert, but have configured PIX to PIX and PIX to VPN client connections in the past. For the PIX to VPN Client configuration, at the PIX you have to configure a local DHCP pool for distributing addresses to incoming clients.

what you're trying to do isn't really considered good practice (but that's just my opinion!). What you could do as an alternative is...

1. Install the VPN client on an XP PC
2. Enable IP forwarding on this PC
3. Create static routes on the Citrix server, ie... to get to the network that the remote applications reside on, use the XP PC IP address as route to get there
4. Launch VPN client
5. Connect to apps from Citrix server

 

[blakey2]

Hi Dublin73,

I can't see that the above solution would work for the VPN client.

It turns out that there is a newer cisco vpn client version 5.0.034 (or something like that) which says it supports Server 200 and Server 2003.

Will install tonight/tomorrow and see how we go.

Worst case we can troubleshoot direct with cisco since it is now officially supported!

Cheers - Chris.