https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120547#M17107 <P>My guess is the length of the packet reported by the IP headers versus the actual length are...somehow different.<BR />Which suggests the packet is getting corrupted somehow in transit, or the Meraki is sending a corrupted packet.</P> Mon, 07 Jun 2021 22:20:56 GMT PhoneBoy 2021-06-07T22:20:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120416#M17071 <P>Hi All,</P><P>we have an issue on one of our DC gateways where 1812 traffic is being dropped with below error.</P><P><FONT color="#FF9900">;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 172.20.96.205:48118 -&gt; 10.129.0.30:1812 dropped by asm_stateless_verifier Reason: UDP length error;</FONT></P><P>172.20.96.205 is behind another on site checkpoint gateway.&nbsp;</P><P>strangely even with the above drop on core gateway, the return traffic is being captured on the on site gateway as a reply from Radius. as per below tcpdump.</P><P><FONT color="#FF9900">NAS ID Attribute (32), length: 24, Value: [|radius] [|radius]</FONT><BR /><FONT color="#FF9900">15:33:39.394338 IP (tos 0x0, ttl 126, id 56172, offset 0, flags [none], proto: UDP (17), length: 1 18) 10.129.0.30.radius &gt; 172.20.96.205.53058: RADIUS, length: 90</FONT><BR /><FONT color="#FF9900">Access Challenge (11), id: 0x93, Authenticator: 7eda7b24c401acd95f9380277e0d94ae</FONT><BR /><FONT color="#FF9900">Session Timeout Attribute (27), length: 6, Value: 30 secs</FONT><BR /><FONT color="#FF9900">0x0000: 0000 001e</FONT><BR /><FONT color="#FF9900">EAP Message Attribute (79), length: 8, Value: ..</FONT><BR /><FONT color="#FF9900">0x0000: 011d 0006 0d20</FONT><BR /><FONT color="#FF9900">State Attribute (24), length: 38, Value: [|radius]</FONT><BR /><FONT color="#FF9900">0x0000: 61ba 086a 0000 0137 0001 1700 fe80 0000</FONT><BR /><FONT color="#FF9900">0x0010: 0000 [|radius]</FONT></P><P>Users cannot authenticate and the Meraki displays multiple reasons for authentication failure as a default, rather than giving a definitive reason.</P><P>If onsite users connect via LAN, then the authentication works fine. but its only via one corp SSID that it does not work.</P><P>Now i know its pointing to the Meraki settings, but we have other sites with exactly the same scenario and going through the same core gateway without any issues. MTU, Radius, etc all settings match on all sites.</P><P>any one seen this issue or the drop reason above from core gateway?</P><P>&nbsp;</P><P>Regards</P><P>Attiq</P> Sat, 05 Jun 2021 20:48:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120416#M17071 Attiq786 2021-06-05T20:48:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120547#M17107 <P>My guess is the length of the packet reported by the IP headers versus the actual length are...somehow different.<BR />Which suggests the packet is getting corrupted somehow in transit, or the Meraki is sending a corrupted packet.</P> Mon, 07 Jun 2021 22:20:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120547#M17107 PhoneBoy 2021-06-07T22:20:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120594#M17115 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;Thanks for the reply. I have been thinking the same about Meraki. I am capturing the packets when LAN clients authenticate and are successful then compare both captures. will share the output.</P> Tue, 08 Jun 2021 09:05:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Radius-Authentication-failure/m-p/120594#M17115 Attiq786 2021-06-08T09:05:38Z