Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2401
Views
0
Helpful
1
Replies

Packet fragmentation RADIUS

Starfish
Level 1
Level 1

‎08-17-2018 06:23 AM - edited ‎03-11-2019 01:48 AM

Hello,

We are using Cisco ISE in our environment, branch offices try to authenticate using RADIUS, and the packets are 1800 byte large, this leads router to fragment the packets. Since the fragmented UDP packet do not have header, it disturbs the qos policies and puts the fragmented packet into a wrong class-map.

Is there a way to change this on Cisco ISE to not send such big authentication packets? or is there a way to add anything in the qos policies to determine these fragmentated udp packets and put them in the same class-maps?

From the pcaps I found that inbound packet arrives with length 1514 and 562 both with DSCP value of CS0, but on the outbound interface towards the hub router, packet gets fragmented as:

Lenght 1410 (af11), 138 (af11) and 562 (af41).

We checked qos policies but these all packets should be hitting our default class which is af11 and the last packet 562 should not convert into af41 at all.

I am posting this in ISE forum to know if there is anyway ISE could lesser the packet length?

UDP packets are without headers, so its difficult for us to classify and mark these fragmented packets on our policy map.

Looking forward for the answers and suggestions.

 

Thanks!!!

 

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎09-01-2018 08:11 PM

CSCvf52213 integrated in ISE 2.4 Patch 2. Thus, you may try that release and configure MTU at ISE admin CLI.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents