Summary

This article contains information about the Cisco’s NBAR (Network-Based Application Recognition) feature that is not working and causing the Citrix ICA connections to disconnect when Citrix CloudBridge appliance is enabled for traffic acceleration.

Background

A customer reported in a case that the ICA connections were intermittently getting disconnected when Citrix CloudBridge appliance was enabled for the traffic acceleration. After troubleshooting the issue, Citrix Engineer found that the customer used the following Cisco IOS command to classify and prioritize the ICA traffic in their network:

class-map match-all CM-4-ICA

match protocol citrix

Compatibility between Cisco NBAR and Citrix CloudBridge Advanced ICA Acceleration

The preceding Cisco IOS command uses the Network-Based Application Recognition (NBAR) feature to match the specific application traffic, such as the Citrix ICA traffic, in the Cisco router QoS process. The NBAR feature of Cisco router requires packet payload inspection, which is data beyond the TCP header, to find the application specific information to match packets into the class map.

The NBAR feature of Cisco router does not work when Citrix CloudBridge appliance is enabled because Citrix CloudBridge ICA acceleration process compresses the data beyond the TCP header. With this property of the NBAR feature of Cisco router, Citrix does not recommend using the NBAR feature of Cisco router with the Citrix CloudBridge Advanced ICA acceleration.

Cisco NBAR and Citrix CloudBridge version 4.x (formerly known as WANScaler)

Citrix CloudBridge version 4.x does not run Advanced ICA acceleration and it is not required to enable compression in ICA service class. There is no obvious impact in Cisco’s NBAR process if ICA is enabled for flow-control acceleration.

Cisco NBAR and Citrix CloudBridge version 5.x (formerly known as Repeater)

Citrix CloudBridge version 5.x runs Advanced ICA acceleration, which requires enabling compression in ICA service class. Citrix recommends using Cisco router access-list to work with Advanced ICA acceleration. Citrix XenApp / XenDesktop traffic are transported over either on ICA protocol at TCP port 1494 or CGP at TCP port 2598. You can configure Cisco router access-list to match XenApp / XenDesktop traffic on those TCP ports. Following is a sample configuration:

Cisco NBAR and Citrix CloudBridge version 6.x and 7.x

Citrix CloudBridge introduces a new traffic-shaping feature since version 6.0. This feature enables you to set different value in DSCP (Differentiated Services Code Point) field in packet’s IP header for XenApp / XenDesktop traffic. Citrix recommends using CloudBridge traffic-shaping feature to classify XenApp/XenDesktop traffic without relying on Cisco router’s NBAR or access-list to classify ICA traffic. For example, you can configure Citrix CloudBridge to set DSCP af41 for ICA Single-Stream ICA traffic, and configure router to assign QoS bandwidth for af41 traffic.

Cisco NBAR and Citrix CloudBridge Multistream ICA acceleration

CloudBridge appliances support the new Multistream ICA protocol feature in XenApp and XenDesktop. Instead of multiplexing all priorities over the same connection, up to four connections are used for the different ICA priorities between server and clients. You can configure Citrix CloudBridge to set different DSCP for those multi-stream ICA connections, and configure router to assign different QoS bandwidth for those DSCP traffic, for example,. 50% bandwidth for high priority traffic and 20% for low priority traffic.

More information

CTX131001 - XenApp 6.5 - Implementing ICA MultiStream or MultiPort - Virtual Channel Groups and Priorities

CTX137167 - FAQ - Accelerating Multi-Stream ICA with Branch Repeater Appliance