Cloud SWG integrated with ZTNA so that managed devices running WSS Agent can access internal applications.

ZTNA segment application setup to handle all ports on a Citrix backend environment - Citrix traffic will use multiple TCP the ports on this host.

Citrix clients are unable to connect to citrix client with ztna, getting application 'connectivity errors'.

In terms of the flow

• user accessed Citrix storefront and successfully logs in
• user get a page with all the resources they can use and after selecting a resource, citrix creating ICA file and downloading it to the client computer
• ICA file is executed and a session should be created between the workspace client and back end servers
• User never connects and eventually gets a connectivity error

Cloud SWG.

ZTNA.

Citrix Workspace.

TCP dropped on the client before being sent into the Cloud SWG tunnel.

Drop the MTU size on the back end Citrix servers using 'net interface' command. This means the TCP MSS option advertised to the client is dropped, and the reduced payload into Citrix avoided any potential drops on the way.

PCAPs from a working versus non working trace shows that working trace sends a lot of larger TCP segments which non working trace does not show.

Speculating that MTU may be related to this, an attempt to drop MTU on the Citrix client side failed.

Making the MTU change on the server side addressed issue.