[Citrix Gateway VPN] Cannot access intranet applications in VPN over Proxy environment
Article ID: CTX465119
Updated On:
Description
When you connect Citrix Gateway VPN. You may observe VPN establishment is OK but cannot access internal applications/networks when the following conditions both match:
- Client has proxy configured and VPN connection goes through Proxy.
- Client PC has an interface IP in 169.254.0.0/16 subnet (Usually seen if cannot obtain an IP from DHCP server).
Resolution
The basevip (169.254.8.8) is unabled to be changed in proxy environment. 169.254.0.0 is an undefined IP subnet and shouldn't be used. Citrix suggest you to fix DHCP server.
As a workaround, you can remove the incorrect route and create the correct one:
As a workaround, you can remove the incorrect route and create the correct one:
> route delete 192.168.8.8 > route add 192.168.8.8 mask 255.255.255.255 <Gateway_IP>You can also create a BAT script to do the job automatically by configuring "Logon Script" in VPN session profile.
Problem Cause
Citrix VPN Plugin creates routes to VIP automatically after logon. If Proxy is enabled, VPN plugin will use 169.254.8.8 as a dummy VPN basevip:
04:22:21.754 | VERBOSE | PROXY_SERVER=a.b.c.d:8080^M ... 04:22:21.754 | VERBOSE | Using 169.254.8.8 as basevip^M
And an interface has IP in the network of 169.254.0.0/16, causes an unexpected route added to this link by OS. The route forwards the further traffic in VPN tunnel to an unexpected interface.
169.254.8.8 255.255.255.255 On-link 169.254.x.y 15 //169.254.x.y is the IP address of local interface
Correct route should be:
169.254.8.8 255.255.255.255 <Local_IP_has_gateway> <Gateway_IP> 15
Issue/Introduction
This article describes an issue that cannot access applications through VPN but can logon.
Was this article helpful?
Yes
No
Powered by
