Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Attiq786
Participant

Radius Authentication failure

Hi All,

we have an issue on one of our DC gateways where 1812 traffic is being dropped with below error.

;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 172.20.96.205:48118 -> 10.129.0.30:1812 dropped by asm_stateless_verifier Reason: UDP length error;

172.20.96.205 is behind another on site checkpoint gateway. 

strangely even with the above drop on core gateway, the return traffic is being captured on the on site gateway as a reply from Radius. as per below tcpdump.

NAS ID Attribute (32), length: 24, Value: [|radius] [|radius]
15:33:39.394338 IP (tos 0x0, ttl 126, id 56172, offset 0, flags [none], proto: UDP (17), length: 1 18) 10.129.0.30.radius > 172.20.96.205.53058: RADIUS, length: 90
Access Challenge (11), id: 0x93, Authenticator: 7eda7b24c401acd95f9380277e0d94ae
Session Timeout Attribute (27), length: 6, Value: 30 secs
0x0000: 0000 001e
EAP Message Attribute (79), length: 8, Value: ..
0x0000: 011d 0006 0d20
State Attribute (24), length: 38, Value: [|radius]
0x0000: 61ba 086a 0000 0137 0001 1700 fe80 0000
0x0010: 0000 [|radius]

Users cannot authenticate and the Meraki displays multiple reasons for authentication failure as a default, rather than giving a definitive reason.

If onsite users connect via LAN, then the authentication works fine. but its only via one corp SSID that it does not work.

Now i know its pointing to the Meraki settings, but we have other sites with exactly the same scenario and going through the same core gateway without any issues. MTU, Radius, etc all settings match on all sites.

any one seen this issue or the drop reason above from core gateway?

 

Regards

Attiq

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

My guess is the length of the packet reported by the IP headers versus the actual length are...somehow different.
Which suggests the packet is getting corrupted somehow in transit, or the Meraki is sending a corrupted packet.

0 Kudos
Attiq786
Participant

@PhoneBoy Thanks for the reply. I have been thinking the same about Meraki. I am capturing the packets when LAN clients authenticate and are successful then compare both captures. will share the output.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events