When user connects to VPN Connection, pre-existing TCP connections continue working. 

Example Scenario: Per company policy client can connect to private ip only when connected via VPN.
Split tunnel was set to off and private ip only options was selected to enforce this requirement. 

Observed Behavior:
1. Client is connected to a online service using a client application
2. Clients establishes VPN Connection
3. The client application connected to the online services continue to work, unless closed an started again - in which case it won't work.

Requirement / Expectation:
When client connects to VPN, all internet connected services application should be terminated.

 

To terminate existing connections use the "Kill connections" option in the session profile, this forcefully terminates all pre-existing client connection when VPN session is established.



Reference:
https://docs.citrix.com/ja-jp/netscaler/11/reference/netscaler-command-reference/vpn/vpn-sessionaction.html

<Snippet>

killConnections

Specify whether the NetScaler Gateway Plug-in should disconnect all preexisting connections, such as the connections existing before the user logged on to NetScaler Gateway, and prevent new incoming connections on the NetScaler Gateway Plug-in for Windows and MAC when the user is connected to NetScaler Gateway and split tunneling is disabled.

Possible values: ON, OFF

</Snippet>

 

---

Problem Cause

VPN does not terminate existing connections by default, in other words if an application maintains a persistent TCP connection then connecting VPN will not terminate the connection. However if you lose and relaunch the application it wont work as public IPs are not allowed over VPN per configured policy. This is the default behavior.