Radius authentication issues on ION Devices

• Radius failures after reboot, power outages or other network events
  Radius over UDP. This could affect other UDP-based protocols. 
• Packet capture close to source host reveal the packet is either fragmented or too big, usually >1500 bytes MTU
• Packet capture at the farthest ION's LAN interface from the source host shows the ION is truncating the packet:

  15:27:12.618318 IP (tos 0x0, ttl 62, id 0, offset 0, flags [+], proto GRE (47), length 1500)
  10.0.37.1 > 10.0.37.10: GREv0, Flags [none], length 1480
  IP truncated-ip - 8 bytes missing! (tos 0x0, ttl 62, id 94, offset 0, flags [+], proto UDP (17), length 1484) <----
  10.28.0.10.2918 > 192.168.33.1.12345: UDP, bad length 1800 > 1456

• Prisma SD-WAN
• ION devices

Incorrect configuration of the GRE tunnel interface MTU on the DC ION, which was set >1472.

1. Reduce the GRE tunnel interface MTU at the DC ION to 1472, which aligns with the default setting and prevents packet truncation due to MTU mismatch. To make changes to the MTU, select the ION device, click on the interface tab, select the interface and click on Advanced Settings to make the changes.
   
2. Any GRE tunnel interface configured at ION cannot have an MTU size >= 1472, as this would not leave enough space for tunnel headers.
3. This applies to IPSEC interfaces where the recommendation is to stick with the default values.