07-16-2015 07:54 AM - edited 03-11-2019 11:16 PM
Hi All, I am hoping someone can help me with this issue.
I have a Citrix NetScaler server on my network that I am trying to access via a public address on the outside of my Cisco ASA5505.
The ASA has two Public Addresses, the first is used for a couple VPN tunnels, which work fine. the second is going to be dedicated tot he Netscaler.
ASA5505 - IOS version 9.0 (1)
Public address: Y.Y.Y.142
NetScaler Server: X.X.X.6
This is what I have programmed in the ASA:
object service https
service tcp source eq https destination eq https
object network NetScaler_External
host Y.Y.Y.142
description Netscaler External IP
object network NetScaler_Internal
host X.X.X.6
description Netscaler Inside Address
access-list outside_access_in remark Netscaler
access-list outside_access_in extended permit object https any object NetScaler_Internal
object network obj_any
nat (inside,outside) dynamic interface
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
access-group outside_access_in in interface outside
I am not sure what I am missing, but when I try to connect to the NetScaler from the outside, the log shows the connection attempt, then gives me a 30sec. disconnect because of missing SYN.
Any help would greatly be appreciated. I am stuck!
Solved! Go to Solution.
07-21-2015 08:40 AM
Sorry but I'm a bit out of my depth when we get into the Secure Gateway flavor of the Netscaler.
The ASA appears fine for https but there may be some fine point about what the Netscaler Secure Gateway requires that I'm not aware of. Can you confirm there's no proxy server setup in your environment that might be blocking or interfering with the https communications?
You might try the community over at Citrix. I've has good results with them in the past.
http://discussions.citrix.com/forum/5-secure-gateway/
07-16-2015 08:01 AM
Make sure the Netscaler NAT entry is above the general purpose entry. First match "wins" and if the general rule is being hit, you will not get the desired results.
You can move the rules up or down in ASDM or, if you are using the cli, specify their order to make them be examined in the right sequence.
07-16-2015 08:16 AM
07-16-2015 08:19 AM
Hmm, ok that looks good.
Can you try packet-tracer from the cli:
packet-tracer input outside tcp 8.8.8.8 1025 <netscaler External IP> 443
07-16-2015 08:24 AM
Here is the result:
NOBLE-5505# packet-tracer input outside tcp 8.8.8.8 1025 207.78.1.142 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.142/443 to X.X.X.6/443
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I am not sure what configuration rule it is talking about.
07-16-2015 08:36 AM
I didn't read your access-list closely enough. You have:
access-list outside_access_in extended permit object https any object NetScaler_Internal
Try instead:
access-list outside_access_in extended permit tcp any4 object NetScaler_Internal eq https
07-16-2015 08:48 AM
Marvin, that change definitely got the packet tracer to complete with Allows all the way down.
But when I try to connect through the public IP, I am still getting the 0 SYN Timeout.
07-16-2015 08:52 AM
OK, can you verify the Netscaler is receiving the 3-way handshake (i.e. the initial SYN packet)?
You can use the nstrace utility (filtering on the originator from which the communications is failing to narrow things down) to perform a packet capture on the Netscaler.
Also check the Netscaler default route points to your ASA inside interface so that when it does receive the SYN, it knows where to sent the SYN ACK.
07-16-2015 01:21 PM
Marvin, first let me thank you for your help so far.
OK, so I tried to run the nstrace on command line, and it is saying "command not found"
do I have to run it from a specific folder?
forgive me, I am not very good with Linux OS.
I did verify the Routes are correct, and I can ping the firewall's inside address.
I am very familiar with Wireshark, but never used nstrace.
07-16-2015 07:32 PM
Nick,
nstrace on a Netscaler needs to be run from the FreeBSD OS shell, not the Netscaler command prompt. Type "shell" from the latter and see the syntax details here.
It's also available from the GUI. Instructions.
It will result in a capture file that you can open in Wireshark.
07-17-2015 06:17 AM
Hi Marvin, sorry, I am new to NetScaler, I actually had a consultant install it, and I am just starting to learn it.
So I ran a trace, and what I am seeing in Wireshark, is the Syn coming from outside to Netscaler, then a Syn/Ack going to Outside, then a RST/ACK coming from Outside.
When comparing to a good connection from my workstation inside the network to the Netscaler, the three way completes in the inside, with the final ACK.
I compared the data between the good handshake, and the failed one, and I cannot see why the ASA is resetting the connection. And the odd part, is the ASA log is saying it is not receiving back the SYN from the Netscaler, when the wireshark is showing that the Netscaler sent it.
I am attaching the Wireshark segment.
07-17-2015 03:50 PM
That's odd, maybe I don't see the big picture completely enough.
Is the https address you are trying to access the Netscaler itself (i.e an NSIP or Netscaler IP) or a loadbalance VIP for a server farm?
Is the source IP in the failed handshake that you posted the jpeg of (74.92.61.169) your PC testing from a public IP?
Can you try packet-tracer n the ASA from the inside out using that address pair and post the results? i.e.:
packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 detail
07-21-2015 05:42 AM
Hi Marvin, the IP is the Netscaler itself, and I can access it from the inside network.
The 74 address is the public address my PC is using, I have also tried it from two different locations.
Here is the output of Packet Tracer:
NOBLE-5505# packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 d$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
Static translate 172.16.3.6/443 to 207.78.1.142/443
Forward Flow based lookup yields rule:
in id=0xc88cb928, priority=6, domain=nat, deny=false
hits=3, user_data=0xcca22340, cs_id=0x0, flags=0x0, protocol=6
src ip/id=172.16.3.6, mask=255.255.255.255, port=443, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8668990, priority=1, domain=nat-per-session, deny=true
hits=3334378, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc12d630, priority=0, domain=inspect-ip-options, deny=true
hits=3147035, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8668990, priority=1, domain=nat-per-session, deny=true
hits=3334380, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc0d8320, priority=0, domain=inspect-ip-options, deny=true
hits=3170385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3380626, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
07-21-2015 05:59 AM
Everything looks good from the perspective of the ASA.
What exactly are you trying to access on the Netscaler? I haven't checked on the latest versions, but the version 10 boxes I've worked with most required not only tcp/443 for administrative access but also tcp/3008 and/or tcp/3010 for the Java bits of the GUI (encrypted and non-encrypted). You also could add tcp/22 and see if that works for ssh access. Reference.
07-21-2015 07:40 AM
Primarily I am trying to access the gateway (Citrix Reciever) so I can get to my published applications and desktops.
On my old Citrix platform they referred to it as "Secure Gateway".
As I said, NetScaler is new to me, but the login looks similar.
The consultant that installed it called the virtual server: Netscaler-VPX if that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: