Support Center > Search Results > SecureKnowledge Details
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel Technical Level
Symptoms
  • Citrix traffic is dropped by IPS with the following log in SmartView Tracker:

    Attack Name: Citrix Enforcement Violation
    Attack Information: Citrix parsing failed - this may be because the internal parsing buffer exceeded beyond internal limits
    Protection Name: Citrix ICA Protocol Enforcement


  • Issue occurs only on Security Gateway on Gaia OS when running with 64-bit kernel (on 32-bit kernel, the Citrix traffic is passing).

  • If IPS protection 'Citrix ICA Protocol Enforcement' is set to 'Inactive' mode, then the Citrix traffic is still dropped, but there is no log in SmartView Tracker.

  • Kernel debug (fw ctl debug -m fw + citrix spii tcpstr) shows:

    ;spii_str_process_data_ex: is called with buffer size = 8, streaming type = 6, cdir = c2s;
    ;spii_str_process_data_ex: Connection: <Source_IP,Source_Port,Dest_IP,Dest_Port,6> ;
    ;spii_str_realloc_buffer: called with size 16392;
    ;spii_str_realloc_buffer: New buffer is too large 16392!;
    ;spii_str_read_data: Failed to realloc buffer, returning;
    ;spii_str_process_data_ex: Message is too big for buffer;
    ;ica_generate_log: Called;
    ;citrix_error_handler: Message exceeded allowed buffer size. size Size;
    ;citrix_error_handler: Error during citrix handlers, connection will be dropped;
    ;spii_str_psl_mt_process_data: Received SPII_STAT_STOP_AND_REJECT, returning PSL_STAT_STOP_AND_REJECT;
    ;psl_process_data: processing function for app 7[INSPECT_STREAMING_MT_0] returned STOP_AND_REJECT;
    ;psl_handle_status_and_action: stat=4;"
Solution
Note: To view this solution you need to Sign In .