UDP Kerberos authentication fails

book

Article ID: 167853

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes an issue where the authentication service that uses UDP Kerberos is being dropped by the Check Point Firewall.UDP kerberos authentication is being dropped with the following message in fw ctl debug:

[fw];fw_log_drop: Packet proto=17 x.x.x.x:x -> x.x.x.x:88 dropped by fwchain_frag Reason: wait for more fragments;

This can impact the authentication service with latency, or it may cause it not to work at all.

Cause

Problem:

When using UDP Kerberos authentication, specially thru VPN tunnels, traffic might be dropped by Check Point Firewall.
This is caused by different maximum size of datagram packets for Windows based systems as described by the referenced Check Point solution sk36679.
 

Resolution

N/A

Workaround

Check Point recommends changing the authentication type from UDP Kerberos to TCP Kerberos per solution sk36679.