locked
TMG NLB breacks Radius auth (drops UDP fragments?) RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I have a TMG cluster wit 3 legs - External, Internal1, Internal2

    On Internal1 I have all clients and servers

    On Internal2 I put my Fortigate 80C used for the wireless network. I use Radius for auth. Radius server is on a Windows server in Internal1 network.

    Everything works fine but as soon as I start NLB for the 2nd TMG cluster the RADIUS auth fails. Everything else works. If you are already auth for wireless internet and everything works for you.

    For internal1 I have to use Unicast, For External I use Multicast NLB and it works great. For Internal2 I tried unicast/multicast no difference. I even configured the multicast MAC and IP on the cisco switch between TMG and Fortigate.

    What I find strange is that everything works with 1 TMG node (one or the other) but as soon as I start NLB service on the second one Radius auth will timeout.

    Looking at the network packets it seems that TMG drops the UDP fragments for RADIUS.

    I have the Block IP fragments disabled.

    Any idea?

    Does TMG NLB has trouble with NLB and UDP traffic?

    Thanks a lot!

    Wednesday, July 16, 2014 10:28 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Microsoft Support has admitted that this is a bug in their product but they are not going to fix it.
    Thursday, July 31, 2014 6:16 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Please check if the traffic is blocked by Forefront TMG by the traffic simulator and TMG logs.

    http://technet.microsoft.com/en-us/library/bb794937.aspx

    Best Regards,

    Joyce

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, July 17, 2014 3:13 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Thanks for your reply.
    With traffic simulator i can simulate traffic only for one node and i have no option to set UDP fragments.
    As i said everything work fine even the UDP fragments with only one node.

    in the Logs i do not see anything wrong. I can see RADIUS Accounting Initiated Connection and RADIUS Closed Connection.
    In both cases the logs are identical.

    On FortiGate with a packet sniffer i can see that when it work there are some UDP Fragments like:

    15.733938 Radius.1812 -> FortiGate.9717: udp 1490 (frag 11447:1480@0+)
    15.733959 Radius -> FortiGate:  ip-proto-17 (frag 11447:18@1480)

    But when i start both TMG nodes this UDP fragments do not show up anymore.

    Is there a way to see what Packets TMG drops? I tried to enable Firewall logging for dropped packets (in Windows) but it creates a file that it is always emty.

    Should i install a packet sniffer on the TMG servers to check if the UDP packets are droppet or not?

    Thanks

    Thursday, July 17, 2014 3:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I installed network monitor on the TMG servers and i am able to see the packets comming on Internal1 and nothing is going out on Internal2.

    I looked on both nodes.

    When i stop NLB on one node I see the packet comming on Internal1 and leaving on Internal2 so TMG is dropping this UDP fragments.

    Now, how do i found out why or how do i fix that?

    The dropped packet looks like this in Network Monitor:

    67    19:07:07 17.07.2014    448.6300827        RADIUS_IP    FortiGate_IP    TLS    TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate.    {TLS:422, SSLVersionSelector:421, EAP:420, RADIUS:419, UDP:104, IPv4:103}

    Thanks

    Thursday, July 17, 2014 6:42 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Microsoft Support has admitted that this is a bug in their product but they are not going to fix it.
    Thursday, July 31, 2014 6:16 PM