Hi All,
we have an issue on one of our DC gateways where 1812 traffic is being dropped with below error.
;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 172.20.96.205:48118 -> 10.129.0.30:1812 dropped by asm_stateless_verifier Reason: UDP length error;
172.20.96.205 is behind another on site checkpoint gateway.
strangely even with the above drop on core gateway, the return traffic is being captured on the on site gateway as a reply from Radius. as per below tcpdump.
NAS ID Attribute (32), length: 24, Value: [|radius] [|radius]
15:33:39.394338 IP (tos 0x0, ttl 126, id 56172, offset 0, flags [none], proto: UDP (17), length: 1 18) 10.129.0.30.radius > 172.20.96.205.53058: RADIUS, length: 90
Access Challenge (11), id: 0x93, Authenticator: 7eda7b24c401acd95f9380277e0d94ae
Session Timeout Attribute (27), length: 6, Value: 30 secs
0x0000: 0000 001e
EAP Message Attribute (79), length: 8, Value: ..
0x0000: 011d 0006 0d20
State Attribute (24), length: 38, Value: [|radius]
0x0000: 61ba 086a 0000 0137 0001 1700 fe80 0000
0x0010: 0000 [|radius]
Users cannot authenticate and the Meraki displays multiple reasons for authentication failure as a default, rather than giving a definitive reason.
If onsite users connect via LAN, then the authentication works fine. but its only via one corp SSID that it does not work.
Now i know its pointing to the Meraki settings, but we have other sites with exactly the same scenario and going through the same core gateway without any issues. MTU, Radius, etc all settings match on all sites.
any one seen this issue or the drop reason above from core gateway?
Regards
Attiq