https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257522#M126656 <P>Hi Team&nbsp;</P> <P>I got a question :</P> <P>&nbsp;</P> <P><BR />During a previous session with end user, it was determined that, following the migration from PEAP to TEAP on the metropolitan area’s wireless network, 802.1X authentications fail to complete correctly when traversing the site-to-site VPN between a branch and the corporate headquarters.<BR />From a technical standpoint, the following was observed:<BR />• The authentication process starts correctly, but the session is not completed and times out in Cisco ISE.<BR />• The access points are able to send requests to the NAC; however, a complete response is not received.<BR />• At the corporate headquarters (without going through the VPN), behavior is normal.<BR />Based on the above, and considering that:<BR />• TEAP introduces greater encapsulation and larger packet sizes compared to PEAP<BR />• The IPsec VPN adds additional overhead<BR />The primary hypothesis is a possible fragmentation or MTU issue in the VPN tunnel, which would be preventing the EAP exchange from completing correctly.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>by any chance that you have a case similar to this one in order for me to solve the issue.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>this is my action plan&nbsp;</P> <P>&nbsp;</P> <P>Agreed-Upon Testing Plan<BR />To validate this hypothesis, it was agreed to conduct controlled tests during a low-impact window, including the following activities:<BR />1. Validation of the actual MTU on the path<BR />o Connectivity tests with the DF flag to identify the maximum size without fragmentation.<BR />2. Controlled adjustment of the MTU in the VPN tunnel<BR />o Reduce the MTU to a reference value (e.g., 1360) for testing.<BR />3. Conduct authentication tests<BR />o Verify whether the TEAP process completes successfully after the adjustment.<BR />4. Monitor and capture traffic<BR />o Review behavior at the firewall and NAC levels to confirm whether symptoms of fragmentation or truncated sessions disappear.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Any kind of help would be highly cherished</P> Fri, 26 Jun 2026 14:04:40 GMT F.Pinar 2026-06-26T14:04:40Z https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257522#M126656 <P>Hi Team&nbsp;</P> <P>I got a question :</P> <P>&nbsp;</P> <P><BR />During a previous session with end user, it was determined that, following the migration from PEAP to TEAP on the metropolitan area’s wireless network, 802.1X authentications fail to complete correctly when traversing the site-to-site VPN between a branch and the corporate headquarters.<BR />From a technical standpoint, the following was observed:<BR />• The authentication process starts correctly, but the session is not completed and times out in Cisco ISE.<BR />• The access points are able to send requests to the NAC; however, a complete response is not received.<BR />• At the corporate headquarters (without going through the VPN), behavior is normal.<BR />Based on the above, and considering that:<BR />• TEAP introduces greater encapsulation and larger packet sizes compared to PEAP<BR />• The IPsec VPN adds additional overhead<BR />The primary hypothesis is a possible fragmentation or MTU issue in the VPN tunnel, which would be preventing the EAP exchange from completing correctly.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>by any chance that you have a case similar to this one in order for me to solve the issue.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>this is my action plan&nbsp;</P> <P>&nbsp;</P> <P>Agreed-Upon Testing Plan<BR />To validate this hypothesis, it was agreed to conduct controlled tests during a low-impact window, including the following activities:<BR />1. Validation of the actual MTU on the path<BR />o Connectivity tests with the DF flag to identify the maximum size without fragmentation.<BR />2. Controlled adjustment of the MTU in the VPN tunnel<BR />o Reduce the MTU to a reference value (e.g., 1360) for testing.<BR />3. Conduct authentication tests<BR />o Verify whether the TEAP process completes successfully after the adjustment.<BR />4. Monitor and capture traffic<BR />o Review behavior at the firewall and NAC levels to confirm whether symptoms of fragmentation or truncated sessions disappear.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Any kind of help would be highly cherished</P> Fri, 26 Jun 2026 14:04:40 GMT https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257522#M126656 F.Pinar 2026-06-26T14:04:40Z https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257527#M126657 <P>Hello,</P> <P>While I have not had that same issue. Your path seems logical to ensure it either is or is not MTU. Depending on the packets, might have to go lower than what you have proposed.</P> <P>Regards,</P> Fri, 26 Jun 2026 16:04:12 GMT https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257527#M126657 OtakarKlier 2026-06-26T16:04:12Z https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257529#M126658 <P>I realized that there is an internal misconfiguration error the firewall is working as expected.</P> Fri, 26 Jun 2026 17:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/validation-of-the-pan-vpn-ssid-and-peap-teap-protocols/m-p/1257529#M126658 F.Pinar 2026-06-26T17:53:44Z