Checkpoint VPN to Sonicwall kerberos failure

[Guest_imported]

Hello out there,

I'm interested to know if anyone else has experienced an AD kerberos failure thru a VPN using Checkpoint firewall 4.1/VPN1 w/ SP4, to a Sonicwall Soho2 home appliance. The failure is the machine behind the Soho2, is waiting for an ungodly amount of time to authenticate to the corporate network. Sometimes, never even getting a reply, and just hangs.

The issue is related to the AD kerberos packet size being huge and Checkpoint fragmenting the packet, but Sonicwall not able to piece back together. We have tried several different methods to modify the MTU size: on the firewall, on the PC, on the server, on the Sonicwall, and also tried to force TCP kerberos authentication. No luck.

Calls to Checkpoint, Sonicwall, and Microsoft have not resolved the VPN failure.

Only thing that has worked, is to place a Sonicwall Pro200 in parallel w/ the Checkpoint firewall, and offload the VPN tunnels onto the Pro200: Sonicwall to Sonicwall has no problem w/ the kerberos packets.

If you have had the issue and resolved it, or are in the same boat, please share.

Thanks,

Cyndra

 

[dfedders]

Try this - it worked for me using Checkpoint and a Netscreen firewall. It is an issue with Kerberos over UDP. You can force it to use TCP with the following registry edit:

ocate the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Kerberos\Parameters

If the Parameters key does not exist, you can create it now.

3. On the Edit menu, click Add Value, and then add the following
registry value:
Value Name: MaxPacketSize
Data Type: REG_DWORD
Value: 1


The data value to which you set this value is the maximum size to be
used with
UDP. If the packet size exceeds this value, TCP is used. Again, 2,000
bytes is the default if the value is not present.

To prevent UDP from ever being used, set the value to 1; TCP will be
used for all packets.