back caretBlog

Exposing Citrix Latency Caused by VPN Overload

How one ExtraHop customer used network visibility to ensure availability for remote workers

With COVID-19 forcing employees out of the office and into remote work, many IT and security teams are feeling the burden of the sudden shift. That was the case for one ExtraHop customer, who, with the increase in remote workers due to COVID-19, had to dramatically increase the number of people using their Citrix VPN.

Within hours on the first day of the COVID "stay at home" mandate in France, large numbers of remote employees reported being unable to start some Citrix applications via the VPN. Clearly the sudden increase in users was causing issues, but it was difficult to tell which assets were being affected or why.

Using ExtraHop Reveal(x), the customer was able to gain visibility into the Citrix storefront servers, XenApp servers, and NetScaler devices running in their AWS environment. ExtraHop's Citrix dashboards showed a significant increase (from a few milliseconds to several seconds) in network latency and aborts.

Citrix latency over time

Upon looking into the detailed metrics of the ICA protocol, the customer was quickly able to identify which Citrix applications were slowing down, the users affected, the client devices initiating the sessions, and the XenApp servers in question.

Citrix latency by program

From there, the customer clicked down to the device TCP level in order to easily identify that the NetScaler devices were being overloaded with connection requests, as indicated by a significant increase in TCP retransmissions and zero windows.

Zero windows in TCP

They also noticed a peak in aborted SSL connections between these Citrix components. Because Reveal(x) decrypts PFS-encrypted TLS traffic in real time, the customer was able to see into their HTTP transactions in order to monitor errors and address long processing times.

Reveal(x) provides the visibility you need to go from detection to answers in a matter of clicks. We invite you to watch this short threat scenario runthrough to see a guided investigation in Reveal(x) in real time:

 

You can explore the Reveal(x) workflow for yourself in the full product demo, available for free online. Start your demo now!

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed