Meraki

Don_Elledge

We're experiencing an issue with UDP packets being dropped in our environment. Our RADIUS servers are hosted in Azure Government and are connected through a network segment that includes an IPsec tunnel. We suspect that the packet drops are due to fragmentation, likely caused by the size of the certificate chains. It appears Azure may be discarding these fragmented packets at the VPN gateway. Is there a backend method—outside of what's available in the Meraki dashboard—to set a global MTU on MR36 access points?

alemabrahao

Meraki MR access points are 1500 bytes but you can't adjust them. I think you should consult Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Mloraditch

I highly suspect you may be suffering from this issue: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning

"Azure, by default, drops fragmented packets that arrive at the VM out of order, meaning the packets don't match the transmission sequence from the source endpoint. This issue can occur when packets travel over the internet or other large WANs."

ISE has started documenting this officially as an issue. See slide 15 for a summary: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2416.pdf

The workarounds in question are not usually easy to do unless you have a complete greenfield deployment

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Don_Elledge

Agreed — that’s likely the root cause. That’s why I’m attempting to set the MTU at the access point level, so packets are generated smaller and arrive in proper sequence. However, when I try to apply the MTU using DHCP option 26, the Meraki core switch (which is acting as our DHCP server) appears to be malforming the option. See the image below for reference.

RaphaelL

What MS version are you running ?

Last time I tried ( couple months ago ) it was working fine

cmr

Hopefully its not another CS/IOS DHCP bug...

If my answer solves your problem please click Accept as Solution so others can benefit from it.

MartinLL

I ran in to this issue for radius in azure as well. I was only able to apply mitigating configuration like making sure that ICMP is not blocked in the path and relly on PMTUD.

I also think Microsoft has solved the UDP fragmentation drop issue on newer hosting hardware. Maybe worth a support ticket.

MLL

Don_Elledge

Thanks for the information. I’m going to open a support ticket with Microsoft as well. It’s frustrating that DHCP Option 26 isn’t working properly on Meraki — especially given how many limitations we’ve encountered with the FedRAMP Meraki cloud. We’ve also considered using RADSEC, but unfortunately, that hasn't worked reliably either. It’s been a bit of a headache.

PhilipDAth

Is this for RADIUS authentication? If so ...

If you use Windows, I would try doing:

ping -f -l 1500 <ip in Azure>

Reduce the 1500 by 100 bytes at a time until it starts working. Now you know what size packets you can send.

Now subtract another 100 bytes (for good luck) and try setting the Framed-MTU attribute on your RADIUS server so the AP knows to fragment packets larger than this.

Failing that, try asking Meraki Support if they can configure the Framed-MTU attribute on the AP side. I don't know if they can, but it's worth a shot.

PhilipDAth

Another option is that some IPSec gateways (on-premise) can forcibly fragment packets before encrypting them. Does your IPSec gateway have any option like this?

Meraki

Community

Wireless access points MTU size

Wireless access points MTU size