Cisco Support Community
Community Member

802.1x/EAP-TLS Fragmentation across VPN tunnel

I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:

- Under the tunnel interfaces:

- MTU 1390

- MSS 1350


- Under the ingress LAN interface

- route-map to set the DNF bit to 0

- On the RADIUS Server (2008 NPS)

- Framed-MTU: 1300

This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.

What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.

Thanks for you help.

Community Member

802.1x/EAP-TLS Fragmentation across VPN tunnel

I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.

Community Member

Hi unclerico, saw your

Hi unclerico,


saw your comment and thought of asking you for some advice, I am building similar sort of environment as you've metioned above, I am setting up wirless client to be authenticated with eap-tls  over an ipsec tunnel. I just had some confusion and was hoping for some help.


Let me know if you have some spare time, would really appreciate it.




CreatePlease to create content