Support Center > Search Results > SecureKnowledge Details
R80.20 Security gateway drops IKE traffic when NAT-T enforced Technical Level
Symptoms
  • Security Gateway drops IKE traffic when NAT-T is enforced.
  • VPN debugs on the Central Gateway shows that VPN tunnel negotiation stopped on Main Mode packet 4 (waiting on packet 5 to be sent by the Remote Gateway).
  • On the other hand, VPN debugs from the remote peer show Main Mode packet 5 has been sent to the Central Gateway.
  • Central Gateway drops the traffic sent by the Remote Gateway due to: "dropped by fwfrag_expires Reason: timeout has expired for fragment;"
  • tcpdump on the Central Gateway shows that the Central Gateway received all fragmented packets.
Cause

The remote peer sent the Main Mode packet 5 with a large certificate, so it has to fragment the packet. The R80.20 peer received the packets. However, it does not proccess any packet that is smaller than 240 KB.

The gateway action was to drop fragments smaller than 240 KB (which were not the last fragment). 


Solution
Note: To view this solution you need to Sign In .