Meraki

Community

EAP-TLS over AutoVPN results in IP fragmentation issues

RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 11:51 AM
‎Aug 10 2023 11:51 AM

EAP-TLS over AutoVPN results in IP fragmentation issues

Hi ,

 

We have some spokes with old adsl links with PPPoE so the WAN MTU is not 1500. 

Setup is fairly simple.  

2 MXs ( spoke and hub ) Cisco ISE is the AAA server behind the hub in DC.

We encountered some clients with issues with 802.1X auth as the packets were fragmented. I'm talking about IP fragmentation and not radius fragmentation.

 

Something like : 

RaphaelL_1-1691693155099.png

 

Hard capping the MX MTU to something lower ( eg : 1492 ) "fixes" this issue.

 

Could we have fixed this without clamping the MTU ? I hate doing that cause it affects all MX from the same AutoVPN domain ?

 

I have not directly worked on that issue , but I have a hard time understanding how/why is ISE not doing the IP reassembly. I mean,  IP frag is a nightmare , but shouldn't have been a problem here IF all packets were recevied ( I don't have that info right now )

 

@PhilipDAth Any insight ? 

 

Thanks , 

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 12:33 PM
‎Aug 10 2023 12:33 PM

What's your ISE version?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 12:40 PM
‎Aug 10 2023 12:40 PM

I don't manage the ISE server ( its another team ) but If my memory is right its either 3.1 or 3.2

0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 12:40 PM
‎Aug 10 2023 12:40 PM

One more question,
Are you balancing the links?

 

It is not uncommon to see RADIUS load balancing issues with EAP-TLS related to fragmentation. 

1) failure of load balancing to reassemble large RADIUS packets, for example, TLS with larger key sizes.

2) dropping of fragments by load balancer that are deemed too small.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 12:43 PM
‎Aug 10 2023 12:43 PM

That's one more thing to check when I get back from my vacation if LB ( F5 ) are dropping the fragmented packets. It is the only thing statefull in the path. No firewalls in that flow.

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Aug 10 2023 1:49 PM
‎Aug 10 2023 1:49 PM

I also have seen issues on other type of servers and also azure doesnt like fragmented udp.

I would rather have a lower tunnel mtu then troubleshoot al the other issues you get from fragmenting vpn tunnels.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.