Citrix Workspace Dropping Connection
Hi,
I recently got a Gold SE and facing connectivity issues with Citrix Workspace client. For context, here's my brief setup info.
ISP/WAN -> Gold SE (Router mode) -> Deco Mesh (Access Point mode) -> Laptops/Other devices
When connecting to VDI through Citrix client, the connection gets dropped randomly every few minutes.
Troubleshooting done so far:
1. Tried Citrix client from different laptops and saw same issue on all of them. I have monitoring enabled for all the laptops and don't see anything blocked in flows.
2. Emergency access for laptops to prevent any rules or blocking doesn't yield any results. Problem persists.
3. Directly connected ISP/WAN to laptop and it works. Citrix connectivity doesn't get dropped. at all.
4. Connected ISP/WAN to TPLink Deco (bypassing firewalla), changed Deco from Access Point to Router and Citrix works just fine when it's connected to Deco.
At this time, I firmly believe that something in Firewalla is causing this but I don't know what the root cause could be.
-
There are a few things you could try if Emergency Access didn't work:
- Are you using any VPN or Routes? If so, try pausing them on the devices you're having trouble with.
- Check your DNS Server settings and try using a public one temporarily (like 1.1.1.1).
- If you're using IPv6, try disabling it.
This doc goes into more details about what to do when you can't access certain websites: https://help.firewalla.com/hc/en-us/articles/360050255274-What-to-do-when-you-can-t-access-certain-websites
Let me know if this helps.
-
Last week, I disabled Firewalla and reverted my home network to the original TP-Link Deco mesh setup. The Citrix ICA client ran smoothly without any interruptions.
This morning, I reconfigured the network—Firewalla was set as the router, and TP-Link was switched to access point mode. Shortly after, the Citrix connection began dropping every few minutes.
I’ve now returned to the previous configuration with Firewalla turned off, and everything is functioning normally again.
I’m currently at a loss for how to further troubleshoot or isolate the root cause. For context, before reverting to the old setup, I enabled Firewalla’s emergency access for the laptop running the Citrix client, but that didn’t resolve the issue.
Here's what I did over the weekend.
1. Added rules to allow outbound traffic to *.citrix.com and *.cloud.com and other domains used by citrix ica client.
2. Turned off DNS over HTTPs
Any pointers into this issue are highly appreciated.
-
Are there any significant difference between your Firewalla's network configuration (LAN/WAN) vs. your old router's configuration? (meaning, both has ipv6 off? both using the same DNS servers?) Do you have any extra configurations in Firewalla, such as QoS? Parental Control turned on? Do you have any routes setup?
Also, check your Citrix application and see if it needs extra configuration such as port forwarding, or things like IPSEC passthrough; To be secure, firewalla doesn't turn on NAT Passthrough features like SIP/IPSEC by default.
-
There are no differences between the old and new setups—both use 1.1.1.3 as DNS servers, and IPv6 is disabled.
Initially, I added ports 1494 and 2598 to the firewall rules for this laptop, but after monitoring traffic, there were no hits on those ports. It appears the Citrix ICA client is using port 443 for its communication, so I’ve now added UDP 443 to the rules as well.
Firewalla Settings:
• QoS/Queues are not enabled.
• Family Protect mode is active, but this laptop is listed as an excluded device.
• No custom routes have been configured.
• SIP/IPSec passthroughs are not required, since I’m not hosting the Citrix client—just connecting to a remote VDI.
-
Final update: The issue has been resolved. Here are the steps undertaken to finally isolate and fix the issue, in case anyone faces this in future.
The Citrix Workspace client requirements:
1. CW client needed to query openDNS, it didn't work with 1.1.1.1 or other external DNS systems. I had to open port 53 on firewalla for the laptop running CW client.
2. TCP UDP 443 outbound had to be opened for this client.
3. All domains, including citrix.com and others as outlined has to be added to exclusion list for this client via rules in firewalla.
Performing all the steps above still had CW client disconnecting intermittently but the uptime between disconnects increased significantly.
Next, taking a stab at the tp-link Deco mesh system (in access point mode) we have at home.
1. Previous scenario was that the second Deco node would connect to main Deco node via ethernet backhaul. Ethernet cable from Deco 2 would connect to Deco 1 directly on second port of Deco 1. Upon checking logs on Deco units, I could see frequent client disassociations and some errors native to Deco that I still can't understand.
Tested the following:
1. Connected the Deco 2 to firewalla directly, just like Deco 1. Since Deco supports this config, they worked in AP mode without any issues.
2. Assigned static IPs (reservations) for all Deco units in firewalla.
Finally, CW client doesn't disconnect any more. Not even once. All is good now.
My key learnings from troubleshooting and fixing this issue. You may consider them as best practices.
1. Connect all Access Points directly to the Firewalla device, if possible at all. Use a switch if you have to but avoid daisy chaining them. They may still work but you may experience slowness or micro connection drops lasting a second or two which is specially noticeable if you run multiplayer games or sensitive client like CW. Another positive outcome of this is that now I receive ~600Mbps up/down when doing wifi test on my phone compared to 340Mbps up/down previously without changing location of Deco/AP units.
2. All APs should be assigned static IPs. You just don't want the APs to receive/renew IP addresses dynamically. At least, in my case, most of the errors in Deco logs are now gone.
-
No, I didn't create rules to block DNS traffic. All I have is Family protect enabled for all devices except this laptop with CW client on it. I created rule for this laptop to open Port 53 and UDP 443 (outbound only) as part of satisfying all requirements of running CW client on the laptop when there's a firewall in network. I am certain that I don't need 53 and 443 to be opened via rule but I am just going to leave it open since the issue has been fixed.
Please sign in to leave a comment.
Comments
9 comments