Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
1
Replies

Prioritizing Citrix on ASA 5555-X

tahscolony
Level 1
Level 1

‎11-03-2022 08:19 AM - edited ‎11-03-2022 08:20 AM

A week or so ago we had a driver update take place on ALL machines at once and flooded the router/firewall with 800 MB of traffic. When this happened, voip over Citrix started dropping packets causing call issues for order takers.  Citrix connections are via HTTPS, encapsulating the VOIP for the softphones on the Citrix desktops, so SIP priority did not work.

 

What I am looking at now is to prioritize any and all HTTPS going to the load balancer that head ends the Citrix Farm.   I think I have the correct configuration, but would like some feedback before I apply it to prevent causing an outage when applied and since I would need to see similar traffic like what we saw, to fully test it, which at this time of year, is what we want to avoid.

access-list Citrix-Priority extended permit tcp any host 192.168.160.138 eq 443

class-map Citrix-Priority
match access-list Citrix-Priority

policy-map Citrix
class Citrix-Priority
priority

service-policy Citrix interface outside

service-policy Citrix interface idmz

 

From what I remember, granted, YEARS ago when I did this all the time, the inbound packets coming in from outside that match the ACL would hit the priority bucket and be processed ahead of everything else, which "should" put all the citrix traffic through to the internal dmz interface the LB resides at. Will the second service policy interface even be needed since its the inside and outside that were getting slammed?  It was the outside interface dropping random packets causing this.

 

Is there a better method to do this?   I used to work for an ISP and worked firewalls all day, every day, but has been 8 years since I had the need to do traffic work on an ASA as I no longer work for an ISP.

 

0 Helpful
1 Reply 1

Divya Jain
Cisco Employee
Cisco Employee

‎01-30-2023 01:19 AM

Hi,

Please refer to this discussion :
https://community.cisco.com/t5/network-security/qos-for-citrix-traffic-over-over-traffic-in-asa-5505/td-p/2751353

This is a guide : https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc19
You can use ports relevant to Citrix.


-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------


Regards,
Divya Jain

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card