Any Citrix gurus here?

Burble · 06-10-2010, 09:23

In December 2009 my company was acquired and on Monday this week we went live on the ERP from the new parent company. They're using JDEdwards Enterprise One running on a Citrix farm.

At the moment we're running 2 separate WAN's. Theirs is MPLS, ours is IPSec VPN (with EIGRP, GRE and so on). I setup an interconnect through their office in Eindhoven back in January so we have full routing from all of their sites to all of ours.

The interconnect itself is just an extension of my IPSec VPN that distributes routes to their network back to us over EIGRP and advertises itself as a valid route to our networks over BGP to their WAN.

Now the problem. We're seeing frequent disconnections to the Citrix farm from the IPSec WAN clients. The Citrix farm is on an MPLS node. Latency, jitter, throughput and so on look fine to me so I'm looking to Citrix.

Does anyone know what sort of size packets Citrix chucks out? Because of the overhead of IPSec we're running a 1400 byte MTU over the IPSec WAN so I'm wondering if the disconnections and freezing are down to packet fragmentation?

There's nobody in the other company that even knows what MTU stands for and they're refusing to accept that their Citrix farm is anything less than 100% perfect so I'm having to fault find this pretty much blind.

Other traffic over the interconnect isn't having a problem, we've got a pretty much continual flow of SMTP and print jobs.

I should say that we're part way through getting a new MPLS WAN installed but until that is done we're kinda stuck with this and the 2 offices that are suffering most are having delays on the new tails because Deutche Telekom seem to have nobody available for 6 weeks to pull some fibre in. I expect we're stuck with this situation for another 2 months or so, so I'm keen to find a way around it.

Ideas are appreciated!

Mark · 06-10-2010, 21:34

No help at all but that sounds just like our network - MPLS, IPSec, Citrix, and all. We've also had problems across our MPLS to IPSec interconnect (I've encountered latency and sporadic VPN disconnects), but I don't use the Citrix farm so don't know if they've been trouble (and they're on the IPSec side in our case).

The sooner we get an MPLS WAN across all our sites, the better. Spookily, similar timescale to yours for that, too.

Burble · 06-10-2010, 21:51

I found this link which seems to describe the problem quite well.

I'm going to roll out some router config changes tonight that'll force the DF bit in the IP header so that should help.

The MPLS rollout is going good so far bar the inevitable delays on tails and so on. Friday last week I setup the interconnect between the current MPLS network, current IPSec network and the new MPLS network and bar a small access list mistake (32 bit subnet mask rather than 24 bit subnet mask) it went well and we've got full routing over all 3 networks

06-10-2010, 09:23	#1
Burble Rocket Fuel Join Date: Jul 2006 Posts: 7,826	Any Citrix gurus here? In December 2009 my company was acquired and on Monday this week we went live on the ERP from the new parent company. They're using JDEdwards Enterprise One running on a Citrix farm. At the moment we're running 2 separate WAN's. Theirs is MPLS, ours is IPSec VPN (with EIGRP, GRE and so on). I setup an interconnect through their office in Eindhoven back in January so we have full routing from all of their sites to all of ours. The interconnect itself is just an extension of my IPSec VPN that distributes routes to their network back to us over EIGRP and advertises itself as a valid route to our networks over BGP to their WAN. Now the problem. We're seeing frequent disconnections to the Citrix farm from the IPSec WAN clients. The Citrix farm is on an MPLS node. Latency, jitter, throughput and so on look fine to me so I'm looking to Citrix. Does anyone know what sort of size packets Citrix chucks out? Because of the overhead of IPSec we're running a 1400 byte MTU over the IPSec WAN so I'm wondering if the disconnections and freezing are down to packet fragmentation? There's nobody in the other company that even knows what MTU stands for and they're refusing to accept that their Citrix farm is anything less than 100% perfect so I'm having to fault find this pretty much blind. Other traffic over the interconnect isn't having a problem, we've got a pretty much continual flow of SMTP and print jobs. I should say that we're part way through getting a new MPLS WAN installed but until that is done we're kinda stuck with this and the 2 offices that are suffering most are having delays on the new tails because Deutche Telekom seem to have nobody available for 6 weeks to pull some fibre in. I expect we're stuck with this situation for another 2 months or so, so I'm keen to find a way around it. Ideas are appreciated!

06-10-2010, 21:34	#2
Mark Screaming Orgasm Join Date: Jul 2006 Location: Newbury Posts: 15,194	No help at all but that sounds just like our network - MPLS, IPSec, Citrix, and all. We've also had problems across our MPLS to IPSec interconnect (I've encountered latency and sporadic VPN disconnects), but I don't use the Citrix farm so don't know if they've been trouble (and they're on the IPSec side in our case). The sooner we get an MPLS WAN across all our sites, the better. Spookily, similar timescale to yours for that, too.

06-10-2010, 21:51	#3
Burble Rocket Fuel Join Date: Jul 2006 Posts: 7,826	I found this link which seems to describe the problem quite well. I'm going to roll out some router config changes tonight that'll force the DF bit in the IP header so that should help. The MPLS rollout is going good so far bar the inevitable delays on tails and so on. Friday last week I setup the interconnect between the current MPLS network, current IPSec network and the new MPLS network and bar a small access list mistake (32 bit subnet mask rather than 24 bit subnet mask) it went well and we've got full routing over all 3 networks