cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1249
Views
0
Helpful
1
Replies
Starfish
Beginner

Packet fragmentation RADIUS

Hello,

We are using Cisco ISE in our environment, branch offices try to authenticate using RADIUS, and the packets are 1800 byte large, this leads router to fragment the packets. Since the fragmented UDP packet do not have header, it disturbs the qos policies and puts the fragmented packet into a wrong class-map.

Is there a way to change this on Cisco ISE to not send such big authentication packets? or is there a way to add anything in the qos policies to determine these fragmentated udp packets and put them in the same class-maps?

From the pcaps I found that inbound packet arrives with length 1514 and 562 both with DSCP value of CS0, but on the outbound interface towards the hub router, packet gets fragmented as:

Lenght 1410 (af11), 138 (af11) and 562 (af41).

We checked qos policies but these all packets should be hitting our default class which is af11 and the last packet 562 should not convert into af41 at all.

I am posting this in ISE forum to know if there is anyway ISE could lesser the packet length?

UDP packets are without headers, so its difficult for us to classify and mark these fragmented packets on our policy map.

Looking forward for the answers and suggestions.

 

Thanks!!!

 

1 REPLY 1
hslai
Cisco Employee

CSCvf52213 integrated in ISE 2.4 Patch 2. Thus, you may try that release and configure MTU at ISE admin CLI.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube