Radius authentication issues on ION Devices
461
Created On 01/24/25 13:06 PM - Last Modified 10/17/25 04:24 AM
Symptom
- Radius failures after reboot, power outages or other network events
Radius over UDP. This could affect other UDP-based protocols. - Packet capture close to source host reveal the packet is either fragmented or too big, usually >1500 bytes MTU
- Packet capture at the farthest ION's LAN interface from the source host shows the ION is truncating the packet:
15:27:12.618318 IP (tos 0x0, ttl 62, id 0, offset 0, flags [+], proto GRE (47), length 1500) 10.0.37.1 > 10.0.37.10: GREv0, Flags [none], length 1480 IP truncated-ip - 8 bytes missing! (tos 0x0, ttl 62, id 94, offset 0, flags [+], proto UDP (17), length 1484) <---- 10.28.0.10.2918 > 192.168.33.1.12345: UDP, bad length 1800 > 1456
Environment
- Prisma SD-WAN
- ION devices
- Topology Branch - DC - Additional tunneling like GRE.
Cause
Incorrect configuration of the GRE tunnel interface MTU in the DC ION, which was set >1472.
Resolution
- Reduce the GRE tunnel interface MTU at the DC ION to 1472, which aligns with the default setting and prevents packet truncation due to MTU mismatch.
- Any GRE tunnel interface configured at ION cannot have an MTU size >= 1472, as this would not leave enough space for tunnel headers.
- This applies to IPSEC interfaces where the recommendation is to stick with the default values.