Citrix sessions through a Secure Gateway server are dropped after a couple of minutes. Users are working up until the connection drops.
This may only affect users at specific remote sites, and other sites or LAN users may be unaffected.
The following event appears in the event log:
Source: CtxSecGwy
Event ID: 3202
Description: CSG3202 Client IP [x.x.x.x:xxxxx] connection dropped, connection timed out
Set TCP Keepalives on the Secure Gateway Server to 15 seconds:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"KeepAliveTime"=dword:00003a98
The following setting may also assist:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"TcpMaxDataRetransmissions"=dword:00000010
As reducing the MTU may also assist:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interfaceGUID>
"MTU"=dword:
To determine the MTU run the following command from the remote site reducing the 1500 until the message "Packet needs to be fragmented but DF set." stops appearing.
ping <Secure Gateway IP> -f -l 1500
Add 28 to the final number (20 bytes for the IP header and 8 bytes for the ICMP echo request header), as the -l parameter is only the size of the embedded ICMP request (courtesy James Fields).
Also setting ICA KeepAlives on the Citrix Servers may assist:
HKLM\SYSTEM\CurrentControlSet\Control\Citrix
"ICAEnableKeepAlive"=dword:00000001
"ICAKeepAliveInterval"=dword:0000003c
KeepAliveTime
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
Data type: REG_DWORD
Range: 0x1β0xFFFFFFFF (milliseconds)
Default value: 0x6DDD00 (7,200,000 milliseconds = 2 hours)
Description: Specifies how often TCP sends keep-alive transmissions. TCP sends keep-alive transmissions to verify that an idle connection is still active. This entry is used when the remote system is responding to TCP. Otherwise, the interval between transmissions is determined by the value of the KeepAliveInterval entry. By default, keep-alive transmissions are not sent. The TCP keep-alive feature must be enabled by a program (such as Telnet), or by an Internet browser (such as Internet Explorer).
KeepAliveInterval
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval
Data type: REG_DWORD
Range: 0x1β0xFFFFFFFF (milliseconds)
Default value: 0x3E8 (1,000 milliseconds = 1 second)
Description: Specifies how often TCP repeats keep-alive transmissions when no response is received. TCP sends keep-alive transmissions to verify that idle connections are still active. This prevents TCP from inadvertently disconnecting active lines.
TcpMaxDataRetransmissions
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
Data type: REG_DWORD
Range: 0x0β0xFFFFFFFF (retransmission attempts)
Default value: 0x5
Description: Specifies how many times TCP retransmits an unacknowledged data segment on an existing connection. TCP retransmits data segments until they are acknowledged or until this value expires. TCP/IP adjusts the frequency of retransmissions over time. TCP establishes an initial retransmission interval by measuring the round trip time on the connection. The interval doubles with each successive retransmission on a connection, and it is reset to the initial value when responses resume. This entry is also used in the Windows algorithm for defining non-operational (dead) gateways. A given connection defines a gateway as dead (and switches to the next gateway in the list in stored in the value of the DefaultGateway or DhcpDefaultGateway entries) when a packet sent to the gateway must be retransmitted more than half of the number of times specified in the value of this entry. The system defines a gateway as dead when more than 25 percent of its connections have switched to the next default gateway in the list.
MTU
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interfaceGUID>\MTU
Data type: REG_DWORD
Valid Range: 88βthe MTU of the underlying network
Default: 0xFFFFFFFF
Description: This parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum IP packet size, in bytes, that can be transmitted over the underlying network. For values larger than the default for the underlying network, the network default MTU is used. For values smaller than 88, the MTU of 88 is used.
Note: Windows Server 2003 TCP/IP uses PMTU detection by default and queries the network interface card driver to find out what local MTU is supported. Altering the MTU parameter is generally not necessary and may result in reduced performance.
Troubleshooting Disconnected Sessions in Secure Gateway
http://support.citrix.com/article/CTX435418