Stalled connections/timeouts connecting to Citrix App Gateway when behind pfSens
-
Hey folks,
Not sure if firewall is right section for this but here goes:
I want to connect to a remote site (using a Citrix Access Gateway VPN) from my PC, on a LAN behind a pfSense firewall.
If I plug my PC directly into my broadband connection (bypassing pfsense, and everything on the LAN) then I can connect fine. Pretty much instant connections to the resources on the far end of the Citrix VPN, no issues.
If I put my PC back onto the LAN (plugged directly into the LAN port of the pfSense box (just to rule out faulty switches etc. on the LAN)) then I get strange behaviour:
I can open a connection using the Citrix Access Gateway software (i.e. the authentication etc. succeeds).
I can connect to ?some? remote resources fine (for example, use RDP to take control of a remote Srv2008 box).
BUT my connections to other remote resources either timeout or work once, then won't connect again (e.g. I can't RDP to a remote Srv2003 box, or SQL Server Management Studio Express won't connect to a remote SQL Server).This only happens when connected through the pfSense box so I'm pretty sure pfSense is the cause. My first though was that the firewall was catching something it shouldn't but:
port 443 is open (TCP from LAN -> anywhere)
… and the VPN is supposed to run over an SSL connection.I added a test rule allowing TCP/UDP from LAN to anywhere (in case some ports I wasn't aware of were in use)
... and it made no difference. Still dead in the water behind pfSense.I had a look at the firewall logs and can't see any thing being dropped (well, aside from broadcast netbios traffic udp 137/138).
My question is simply this... where to I look? If I could figure out why pfsense doesn't like the traffic from this application I'm sure there'd be a way around it. At a high level, I know what I'm doing but at a lower level I don't have the expertise.
Anyone have any pointers to help-me help-myself?! I'd like to learn a little so I can rationalise this kind of thing if it happens again! I can post any configuration that seems relevant.
Thanks!
-
Based on your description, my first step would be to check for any MTU issues.
-
I've hit MTU issues in the past (dialup users having trouble connection to a site I used to host) so each of the three interfaces on the pfsense box (WAN, LAN, DMZ) is set to an MTU of 1492.
I got the admin on the remote site to lower the MTU to 1492 on his Citrix server and it had no effect… the behaviour was still the same.
All my experience of MTU issues is contained in the two lines above! Is there something I'm missing?
-
OK - progress! Thanks for the extra push in the right direction! After my last reply I went off to learn more about MTU issues in general (it's years since I looked at the topic last time), to see what I'd forgotten/what had changed in the interim.
I remembered the problem with blocked ICMP messages resulting in silently discarded packets. That's likely on my LAN as pfsense drops all ICMP inbound on the WAN. But I did think lowering the MTU on the WAN interface should pretty much take care of that.
Then I read a little about MTU and MSS and decided to try an MSS of 1492 on the WAN interface - and lo' everything works. (Many, many thanks. I've been busting my head on that one for a couple of days, perhaps I need to go back to school!)
I'm not 100% clear on why the MSS setting made a difference? I would have thought that MSS + TCP headers = MTU.
So setting MTU on pfsense should tell pfSense "only ever send packets of 1492 bytes"
And setting the MSS should tell the remote host "only ever sent me packets of (1492 - TCPHeaders) bytes"If anyone would care to elaborate on the differences in the settings that would be great - I'm reading about it right now but just not 100% clear on the difference.