In investigating issues with users on GlobalProtect VPN not being able to connect to Citrix VDA servers I bumped into this forum post. In investigating I first disabled the Packet Based Attack Protection > IP Drop > Fragmented traffic at Network > Network Profiles > Zone Protection > Profiles for GlobalProtect and the zone hosting the Citrix application.
While this didn’t solve the issue performing a packet capture of the client attempting to connect to the host did now populate the ‘drop’ capture with Fragmented IP protocol traffic as shown in the screenshot below.
This confirmed that the issue was MTU related and backed up the mention in the forum post about changing the MTU size in the ICA file that is pushed to the client.
Following this article How to configure MSS when using EDT on networks with non-standard MTU with the MTU set to 1384 allowed the connection to go through as expected, the IP Drop for Fragmented traffic was re-enabled and the client continued to be able to connect as expected.
Thumbs up if this article helped you 🙂
Leave a Reply