Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
1
Helpful
4
Replies

ISE - EAP-TLS - MTU Fragmentation

TimJenkins
Level 1
Level 1

‎11-25-2024 09:11 AM

Hi,  I am having a major problem trying to get 802.1X / EAP-TLS working over one of our new remote links. I'm thinking it's related to the MTU size and packet fragmentation.    Wireshark shows "Fragmented IP protocol" when during the EAP challenge and ISE reports "Supplicant stopped responding to ISE during EAP-TLS certificate exchange (Step latency=120000 ms). 

I've tried lowering the MTU on the Meraki AP management SVI,  I've lowered the Framed-MTU attribute (12) down to 1002 on ISE,  I've tried setting a low MTU via DHCP Option 26 for the Access Points.  Nothing seems to help with the fragmentation. 

This works for remote users across all our other MPLS links,  but this new site is served by  a LAN-extension and our WAN provider has stated it supports a maximum MTU of 1536.

Any other clues as to what I could try?

1 person had this problem
Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎11-27-2024 12:19 PM

Tomorrow I will send you some point to check

0 Helpful

Flavio Miranda
VIP
VIP

‎11-27-2024 12:43 PM

@TimJenkins 

Faced similar issue in the past. ISE, F5 load balancer, check point firewall, SD-WAN router, link, site.

 We chance MTU everywhere and no luck.

 The problem was in the IPS we had in the data center.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-27-2024 06:42 PM

For more information about RADIUS fragmentation see the following doc:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/220576-eap-fragmentation-implementations-and-be.html

With Windows, it is impossible to avoid IP fragmentation with EAP-TLS due to the large payload size and the fact that the Windows supplicant uses a hard-coded EAP message size of 1470 bytes. Due to the size if the UDP fragments, it is common for them to arrive out-of sequence so anything in the path that drops or has issues with out of sequence UDP fragments will cause a failure in the full handshake completing.

You will likely need to look at everything in the path between the network device and the ISE PSNs and do packet captures wherever possible to compare and confirm where the fragments are getting dropped.

0 Helpful

TimJenkins
Level 1
Level 1

‎12-06-2024 12:46 AM

We've had a TAC case raised and from the Wireshark traces indicates that MTU / Fragmentation doesn't appear to be the problem.  Cisco TAC reckon the client isn't sending it's certificate., which is really odd as when the same PC goes to another site - it works fine. 

No Firewalls / IPS / inspection devices between the AP and ISE.  Upgraded IOS on switches, still no luck.

0 Helpful
Customers Also Viewed These Support Documents