Probable reason for Server timeout on IAP for client connecting using EAP-TLS

Aruba Employee
Aruba Employee

Question: How to identify the reason for the client unable to authenticate with reason "server timeout" on the IAP


Environment Information :




In above example we could see that the IAP is sending the RADIUS packet to the controller and it forwards the RADIUS packet to the server. In EAP-TLS phase 3, Client sends the certificate. Due to bigger length of the certificate the CLIENT CERTIFICATE is fragmented and sent to the server. For example

1.       Working authentication Example :
i.     Packet #107 and Packet#108 are the first fragment of the “CLIENT CERTIFICATE”.
ii.    EAP-TLS length is 3323, so it would fit in three fragments.
iii.   After each fragment (#107 and Packet#108 ), RADIUS server should send the “RADIUS ACCESS CHALLENGE” to ACKNOWLEDGE that it has received the fragment.
iv.    If no ACK received CLIENT  will retransmitt the packet.

2.   Non Working authentication Example :

If we use filter “radius || == 1, it shows all the RADIUS packets, fragments from IAP to the controller.

i. After the fragment the next packet should be from the server  “RADIUS ACCESS CHALLENGE”. However, there is no response from the authentication server causing the retransmission of the client certificate #236 and #239.


we have noticed that the firewall drops the fragments causing the authentication server to assume that the client is not sending the data and client assume that the server is not responding, causing the serer timeout

Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 04:16 PM
Updated by:
Labels (1)

How did you end up resolving the issue, did you have to make a change on the firewall in order to stop droping fragmants? I am having the exact same setup and am experiancing the same issue.

Search Airheads
Showing results for 
Search instead for 
Did you mean: