Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3031
Views
10
Helpful
6
Replies

ISE silently dropping packet

Madura Malwatte
Level 4
Level 4

‎02-12-2019 05:25 AM

ISE 2.3 patch 5

 

I'm hitting this weird issue with ISE trying to get EAP-TLS with machine authentication working. 

 

During the initial eap-tls flow, ISE receives the client hello access-request packet from the NAD, then responds with the access-challenge that contains the server hello/certificate/server key exchange/etc. This is over 5 eap-tls fragments (5 IP packets). The NAD acknowledges these with access-requests without issue. Next the NAD sends an access-request with its certificate/client key exchange/change cipher spec/etc. At a radius level the access-request looks to be fragmented over multiple packets, but the first fragment is fragmented at IP level as well with 1518 bytes on wire and another 419 bytes on the wire - this makes up the first access-request. Packet capture on the upstream device from ISE shows it forwarding both these packets, however packet capture on the ISE shows only the first Fragmented IP protocol packet. The remaining 419 byte packet needed to reassemble to get the access-request is not seen in the capture. Looks like the ISE is silently dropping this? Hence eap-tls times out and fails. 

 

The first fragment of the access-request is more than 1500 bytes, is this the issue? It funny that the larger fragmented packet is received but the following 419 byte one is not.

 

The data portion (radius stuff) of the first fragment is 1480 bytes. Now when you add the IP and ethernet headers it will be at least 1514 bytes. Not sure why the NAD will send it this big when the MTU on the interface and globally is set to 1500 bytes.

1 person had this problem
0 Helpful
6 Replies 6

paul
Level 10
Level 10

‎02-12-2019 05:28 AM

Are the PSNs behind an F5 load balancer?  If so this is a known issue with the F5s.  The F5s will drop packet fragments if they are too small. 

0 Helpful

Madura Malwatte
Level 4
Level 4
In response to paul

‎02-12-2019 05:38 AM - edited ‎02-12-2019 05:39 AM

No they are not. I took a capture right in front of the PSN's on ACI EPG where the PSN VM's reside. And that capture shows both fragmented packets being forwarded, but PSN never gets the 2nd fragment.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎02-16-2019 09:35 AM

Adding to what said Damien Miller and paul,

I believe ISE will drop the 2nd packets if DF bit set.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎02-12-2019 08:52 AM

Your packet capture appears standard, you have a 1500 byte packet encapsulated with 14 bytes of header and a 4 byte CRC. The 1518 (or 1514 without CRC captured) bytes is the frame you expect to see in a capture if you are adhering to traditional ethernet and not adding vlan, trustsec, or macsec information. This is not an issue.

I have not run 2.3 myself, but I know with 2.1, 2.2 and 2.4 that we received eap-tls fragments, I do not recall having the issue you are facing. Relevant reading material for fragmented eap with packet capture examples, give it a read and see if anything helps.
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html

paul
Level 10
Level 10
In response to Damien Miller

‎02-12-2019 09:38 AM

Usually I see fragmentation when EAP-TLS packets are traversing DMVPN/GRE encapsulated links.


0 Helpful

mile.ljepojevic
Level 1
Level 1

‎01-10-2022 08:46 AM

Hi, and sorry for asking this, but did you configure "IP MTU" on the SVI that is used as source-interface for RADIUS?

 

I had the same issue and this was fixed in 5 minutes with this command.

0 Helpful
Customers Also Viewed These Support Documents