TMG NLB breacks Radius auth (drops UDP fragments?) RRS feed

  • Question

  • Hi,

    I have a TMG cluster wit 3 legs - External, Internal1, Internal2

    On Internal1 I have all clients and servers

    On Internal2 I put my Fortigate 80C used for the wireless network. I use Radius for auth. Radius server is on a Windows server in Internal1 network.

    Everything works fine but as soon as I start NLB for the 2nd TMG cluster the RADIUS auth fails. Everything else works. If you are already auth for wireless internet and everything works for you.

    For internal1 I have to use Unicast, For External I use Multicast NLB and it works great. For Internal2 I tried unicast/multicast no difference. I even configured the multicast MAC and IP on the cisco switch between TMG and Fortigate.

    What I find strange is that everything works with 1 TMG node (one or the other) but as soon as I start NLB service on the second one Radius auth will timeout.

    Looking at the network packets it seems that TMG drops the UDP fragments for RADIUS.

    I have the Block IP fragments disabled.

    Any idea?

    Does TMG NLB has trouble with NLB and UDP traffic?

    Thanks a lot!

    Wednesday, July 16, 2014 10:28 AM


  • Microsoft Support has admitted that this is a bug in their product but they are not going to fix it.
    Thursday, July 31, 2014 6:16 PM

All replies

  • Hi,

    Thanks for your reply.
    With traffic simulator i can simulate traffic only for one node and i have no option to set UDP fragments.
    As i said everything work fine even the UDP fragments with only one node.

    in the Logs i do not see anything wrong. I can see RADIUS Accounting Initiated Connection and RADIUS Closed Connection.
    In both cases the logs are identical.

    On FortiGate with a packet sniffer i can see that when it work there are some UDP Fragments like:

    15.733938 Radius.1812 -> FortiGate.9717: udp 1490 (frag 11447:1480@0+)
    15.733959 Radius -> FortiGate:  ip-proto-17 (frag 11447:18@1480)

    But when i start both TMG nodes this UDP fragments do not show up anymore.

    Is there a way to see what Packets TMG drops? I tried to enable Firewall logging for dropped packets (in Windows) but it creates a file that it is always emty.

    Should i install a packet sniffer on the TMG servers to check if the UDP packets are droppet or not?


    Thursday, July 17, 2014 3:16 PM
  • Hi,

    I installed network monitor on the TMG servers and i am able to see the packets comming on Internal1 and nothing is going out on Internal2.

    I looked on both nodes.

    When i stop NLB on one node I see the packet comming on Internal1 and leaving on Internal2 so TMG is dropping this UDP fragments.

    Now, how do i found out why or how do i fix that?

    The dropped packet looks like this in Network Monitor:

    67    19:07:07 17.07.2014    448.6300827        RADIUS_IP    FortiGate_IP    TLS    TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate.    {TLS:422, SSLVersionSelector:421, EAP:420, RADIUS:419, UDP:104, IPv4:103}


    Thursday, July 17, 2014 6:42 PM
  • Microsoft Support has admitted that this is a bug in their product but they are not going to fix it.
    Thursday, July 31, 2014 6:16 PM