We're using Citrix 4.5 on MPLS network with 170 branch offices for one big centralized business application. We're are already using QoS to differentiate Citrix packet traffic (ICA and CGP). We're facing some problems when keyboard/screen refresh packets are competing with citrix printer mapping packets or drive mapping packets.
We're now rolling out a network with a new provider and CISCO routers. We would like to use NBAR (latest version) technology to differentiate Citrix packets based on ICA / CGA priority tags and allocate them to different Class of Services. This would help to increase user experience.
We've made some tests but only (around) half of the packets are recognized and classified in the right class. The remaining 50% packets are classified as Citrix packets by CiSCO NBAR. Neither Citrix nor Cisco experts can give me clear explanation on what is going wrong... Is CISCO NBAR Technology not working as designed or is there something to do with Citrix parameters ?
I would be grateful if someone could tell me if this technology has been used succesfully by customers in such a configuration or if you any idea on what happens
Re: CISCO NBAR with Citrix priority tag (ICA or CGP)
I use NBAR for Citrix packet type classification (to also distinguish between screen packet and printing or disk copying packets). I have not, though, confirmed that all packets are properly being matched. I've only noticed that NBAR "sees" some different Citrix packets.
I believe I recall, though, that the Citrix subtype was a later addition to their protocol, so if there were any earlier Citrix protocol packets, NBAR would then be unable to distinguish the kind of Citrix traffic. (I'm not current on Citrix platforms, would assume "Citrix 4.5" would use the later Citrix protocol.)
I also recall(?), Citrix NBAR subtype matching is only present in later NBAR variants. If correct, you might want to confirm what NBAR Citrix version is being used. (NB: also recall, there were NBAR PDLMs for earlier IOSs, but shouldn't be necessary in later IOSs.)
So to summarized the last two points, confirm all your Citrix packets do contain the subtype marking and that your using the latest Citrix NBAR protocol matching version.
If you resolve or discover the cause of this issue, please post a follow-up.
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense.
I've fixed this before but now I'm running into a different type of an issue. My firewall isn't booting to the image so I have to keep reloading the image onto the ASA. Any help would be appreciated. Also my Config-Register is set to 0x1. As of right now,...
Join us live on Tuesday, May 19th at 10 am PT (and on demand after) as we officially bust the myths around SMBs and cybersecurity. Join our experts for a live Cisco Chat - we'll share some fascinating survey results, and outline key factors for a suc...