Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Seamless failover for Citrix ICA tunnel

We have a Citrix XenApp environment behind APM (11.6) deployed using Citrix iAPP template. APM acts as ICA proxy and we also employ WEB UI servers on the Citrix side of things. It looks like Citrix Receiver disconnects in the middle of the session in the event of Big-IP failing over from active to stand by. In terms of VS configuration we offloading SSL so we are unable to mirror the connections due to V11 limitations. We are also using "cookie" persistence profile with source IP as fallback. I am trying to understand what can be done to avoid Citrix Receiver dropping the connection in case of HA pair failing over. Has anyone been successful trying to achieve seamless fail over for Citrix ICA tunnel?

Rate this Question
Comments on this Question
Comment made 13-Jul-2016 by Arnaud Lemaire

Hello Alex, will try to find info but session reliability is something we support if we reverse proxy the web interface (no webtop).

Comment made 14-Jul-2016 by alex100 317

Hi. Any idea where such documentation can be found?

Comment made 24-Aug-2016 by alex100 317


Any update on the session reliability for ICA tunnel? I am under impression that in my case, in order to have a seamless failover, it is necessary to mirror the connection table. I understand that since we are offloading SSL on Big-IP we have to be able to mirror SSL connections which is only supported in version 12.X? Would your be able to confirm my theory?


Answers to this Question


Yes, SSL mirroring is supported in v12.* only. See: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17391.html .

If you can't/don't want to upgrade to v12.*, you can use connection mirroring instead, and the client normally should be able to re-negotiate an SSL connection of itself - unless you configure your service not to allow it, of course.

Comments on this Answer
Comment made 26-Aug-2016 by alex100 317

Unfortunately there seems to be a problem when you offload ssl on Big-IP. If you try to enable connection mirroring on VS that uses Server Sll Profile you will get a following message: 0107167f:6: Error configuring Virtual (/"partition"/"virtual_server_name"). Connection mirroring is not supported in combination with a Client SSL or Server SSL profile