Home > mtu > Cisco 3750 802.1x - Invalid Eapol packet length

Cisco 3750 802.1x - Invalid Eapol packet length

March 10Hits:1
Advertisement

Having a tough time here getting EAP-TLS to work. I am converting from a EAP-PEAP solution to EAP-TLS and have done the steps required for PKI so as to be not a certificate issue. (server and client certs signed by same CA)

I believe there is an issue with MTU sizes based on the logs below and the following Cisco Forums I've found. Listed below are the posts. However after performing the Framed-MTU = 1344 and changing it to different sizes, I see no difference on the Cisco 3750s logs. Always errors with Invalid Eapol Packet length = 1492.

Has anyone run into this before? I am using Win2008R2 NPS

Framed-MTU workaround = https://technet.microsoft.com/en-us/library/cc771164%28WS.10%29.aspx and https://supportforums.cisco.com/discussion/11087011/eap-tls-authentication-failure

Why I'm thinking this is a Fragmentation issue = http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html#anc18

Basically my set-up = http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAPOL frame Mar 10 17:33:08.889: dot1x-ev(Gi1/0/7): Received pkt saddr =f0de.f17b.4d9f , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006 Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAP packet Mar 10 17:33:08.889: EAPOL pak dump rx Mar 10 17:33:08.889: EAPOL Version: 0x1  type: 0x0  length: 0x0006 Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAP packet from f0de.f17b.4d9f Mar 10 17:33:08.889: dot1x-ev(Gi1/0/7): dot1x_sendRespToServer: Response sent to the server from 0x9C000260 (f0de.f17b.4d9f) Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Sending EAPOL packet to f0de.f17b.4d9f Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Role determination not required Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Sending out EAPOL packet Mar 10 17:33:08.897: EAPOL pak dump Tx Mar 10 17:33:08.897: EAPOL Version: 0x3  type: 0x0  length: 0x029B Mar 10 17:33:08.897: EAP code: 0x1  id: 0x5  length: 0x029B type: 0xD Mar 10 17:33:08.897: dot1x-packet(Gi1/0/7): EAPOL packet sent to client 0x9C000260 (f0de.f17b.4d9f) Mar 10 17:33:08.923: dot1x-ev(Gi1/0/7): Role determination not required Mar 10 17:33:08.923: dot1x-packet(Gi1/0/7): Queuing an EAPOL pkt on Authenticator Q Mar 10 17:33:08.923: dot1x-ev:Enqueued the eapol packet to the global authenticator queue Mar 10 17:33:08.923: EAPOL pak dump rx Mar 10 17:33:08.923: EAPOL Version: 0x1  type: 0x0  length: 0x05D4 Mar 10 17:33:08.923: dot1x-ev: dot1x_auth_queue_event: Int Gi1/0/7 CODE= 2,TYPE= 13,LEN= 1492  Mar 10 17:33:08.923: dot1x-packet(Gi1/0/7): Received an EAPOL frame Mar 10 17:33:08.923: dot1x-ev(Gi1/0/7): Received pkt saddr =f0de.f17b.4d9f , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.05d4 Mar 10 17:33:08.923: dot1x-err(Gi1/0/7): Invalid Eapol packet length = 1492 

Answers

Could you test this out, after hours, requires a switch reboot?

Switch Config:

conf t
!
system mtu jumbo 9000

Windows Server 2008R2 config:

adjust MTU to 9000

This may help. Take a look at this article if you haven't already figured this out: http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html

Related Articles

  • Cisco 3750 802.1x - Invalid Eapol packet lengthMarch 10

    Having a tough time here getting EAP-TLS to work. I am converting from a EAP-PEAP solution to EAP-TLS and have done the steps required for PKI so as to be not a certificate issue. (server and client certs signed by same CA) I believe there is an issu

  • Cisco ACL Block by Packet LengthMarch 19

    I am presently blocking a small scale DDOS attack using IP addresses but all the packets are the same size, 1514 bits and I kind of don't want to fill up an ACL rule with a bunch of IPs. After reading the Cisco documentation it should be possible to

  • How to capture 802.1X EAPOL packets in windows 7?May 9

    I want to capture 802.11 EAPOL packets on windows 7,however,i fail to capture any EAPOL packet use wireshark.What tools can i use to capture the EAPOL packet? my environment is windows 7,wireshark 1.11.0,Intel(R) WiFi Link 1000 BGN --------------Solu

  • Cisco 3750 switch wont transmit radius request to serverFebruary 21

    We have a radius server running on our lan and i am able to authenticate against it through direct link to the server. However when we want our clients to connect through our switch (cisco 3750 Version 12.2(55)SE7) no request is received by our serve

  • Source-based routing on Cisco 3750 switch?January 23

    I have this Cisco 3750 switch which handles many VLANs. It has an IP interface on some of them, and it does routing for those computers connected to those VLANs which use the switch's IP addresses as their default gateway. The switch has a default ga

  • How does Brocade (Foundry) FastIron CX compare to Cisco 3750 stackable switches?February 10

    We're considering Brocade's CX series vs. Cisco's 3750 at both core and distribution layers for a new site with gig to desktop, without POE. If you have any hands-on experience with FastIron CX switches, I would greatly value your impressions. I'll a

  • How to get access to console to reset Cisco 3750?March 29

    I acquired two Cisco 3750 switches from another part of my organization. I was able to complete the standard password/config reset procedure on one without any issues -- boot it, put it into express config mode, telnet in, reset the passwords, etc. T

  • Failover ASA configuration using a Cisco 3750 switch as the routerJuly 19

    We are trying to set up a failover ASA configuration at a colo who is only providing us with one network drop. Given that with one network drop, we are not able to completely eliminate all single points of failure, it was our hope to still be able to

  • Cisco adaptive security appliance is dropping packets where SYN flag is not setNovember 14

    We have an apache instance sitting inside our DMZ which is configured to proxy requests to an internal NATed tomcat instance inside our network. It works fine, but then all of a sudden requests from apache to the tomcat instance stop getting through

  • Configuring trunk interface in Cisco 3750 switch to allow multiple Vlans connected with Ubuntu servers having a single NIC (sub-interfaced)

    Configuring trunk interface in Cisco 3750 switch to allow multiple Vlans connected with Ubuntu servers having a single NIC (sub-interfaced)April 7

    I have three Ubuntu servers (each having only one NIC) for my Openstack cluster configuration following this guide. I also have a Cisco 3750 24 port ethernet switch which I am using as a L3 device in between the Ubuntu servers and another Windows (ha

  • Which part of the eapol packets contain WPA password Hash?August 29

    I have captured wifi traffic from a WPA network using Wireshark. I filtered the results for "eapol" packets and noted in the info column there are message type 3 and type 1. I believe this is two parts of the WPA four-way handshake. Within these

  • Encoding information in packet lengths to actively sidestep encryptionOctober 11

    If you've only got an encrypted data channel can you actively sidestep the encryption and communicate with an outside party who can see the data but cannot decrypt it? Yes - if you can find some leaky aspect in the process that's still visible after

  • When EAPOL packets are exchanged?November 19

    I have put wireshark to capture interface in monitor mode. I have also enable decryption and set keys in Wireshark preferences, but protocol for all packets is 802.11 which I think it means that packets are not decrypted. I search for this problem an

  • PPTPd: 'initial packet length 4930 outside (0 - 220)'June 27

    I got home today and was greeted by a pile of emails from logcheck, informing that pptpd was upset. Here is a snippet: Jun 26 20:02:37 lazarus pptpd[3060]: MGR: initial packet length 4930 outside (0 - 220) Jun 26 20:02:43 lazarus pptpd[3060]: MGR: in

  • How to Change a VLAN Assignement for an Interface on a Cisco 3750November 10

    I'm having some trouble trying to figure out how to Change a VLAN Assignement for an Interface on a Cisco 3750. I want to change: ! interface GigabitEthernet1/0/3 switchport access vlan 2 switchport mode access spanning-tree portfast ! Into: ! interf

  • Problem connecting a 3Com 2952-Plus switch to a Cisco 3750 switchMarch 3

    Connected a 3Com 2952-SFP Plus switch to a Cisco 3750 switch via fibre. There is a light on the 3Com end, but nothing at the Cisco end, and no traffic will flow. Have swapped SFP's, have swapped fibre cables, have used a different port on the Cisco,

  • Cisco 3750 native vlan VLAN1 doesn't work in a Trunked configurationMay 3

    I have two devices here, a Netscreen SSG520 and a Cisco 3750. #show ver Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by Cisco Systems, Inc. The Cisco is currently being u

  • Will cisco 3750-e switches run the old ipservices ios code?May 23

    was wondering about cisco 3750-e switches. Will they run the old ipservices ios code? Or do they only run the univeral image? Thanks --------------Solutions------------- According to Cisco, they do not support it.

  • Unable to ping Cisco 3750 Switch from non-directly connected deviceOctober 20

    I have a Cisco 3750 configured baiscally as a hub. All ports are configured as access ports on the same vlan 10. VLAN interface 10 was given an IP Address of 10.10.10.1, in order to connect to the switch. I can ping the device from a directly connect

  • Etherchannel between Cisco 3750 and Dell 5424 and Dell 5324June 20

    I am putting in a Cisco 3750 as a core switch and have existing Dell 5424 & 5324 switches at the access level. I know some times incompatabilities in implementation of advanced features such as etherchannel can be different between vendors and disast

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.464 s.