Unhandled packets after VPN authentication

I'm setting up IKEv2 VPN on my M470 for the first time. I set it up quickly, using MS NPS as the RADIUS server, and it worked fine. I then changed the config to allow MFA using Duo. That was a whole other battle, but I accidentally got it working.

Now I can connect to the VPN and I get an IP from the WG, but I cannot pass traffic to the internal network or internet. Basically, I can get connected, but that's as far as it gets. I'm getting nothing but unhandled external packets denied in the traffic monitor.

I'm not sure why, since the firewall policy is the same as it was before (utilizing the IKEv2-Users RADIUS group). For kicks, I tried manually moving the rule above the Deny All, but no luck there either.

I feel like I'm probably missing some stupid checkbox somewhere. Any ideas?


  • The traffic monitor shows my src_user=myusernam@RADIUS, but it's not acting like it's using that user or groups to allow traffic.

  • Please post some sample unhandled Log messages

  • edited March 2023

    Do you have a policy allowing this traffic ?

  • 2023-03-31 14:39:13 PKC-M470-1 Deny x.x.x.x y.y.y.y dns/udp 52930 53 3-X3-DCN 1-X1-LAN Denied 69 127 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="myuser@RADIUS"

    where x is the client IP that it is getting from the WG and y is the DNS server internally on the LAN....myuser is my AD username.

    I have the policy that the VPN wizard created. It WAS working until I added the MFA, so I would have thought it should keep working.

  • Are you getting good Duo authentication?

  • yep, I can see the approved auth on the Duo admin console.

  • After I authenticate, I can see my user on the authentication list on the WG as an IKEv2 user.

  • I have a policy set up that allows my IKEV@_Users group to ANY

  • The unhandled message suggests a non-matching user/group name.

  • IKEv2-Users I mean...sorry, kb issues. :)

  • That makes sense....but I can't find anything that looks out of place, or wrong names.... in AD I'm using the group name WG - IKEv2-Users, but that's also the name on my policy.

  • You can turn on diagnostic logging for authentication which may show something to help:
    . Policy Manager: Setup -> Logging -> Diagnostic Log Level -> Authentication
    . Web UI: System -> Logging -> Settings
    Set the slider to Information or higher

  • Nothing obvious to me in the Duo Integration Guide related to this.

    Duo Security Authentication Integration Guide

  • Could be time for a support case.

  • I'm not exactly sure why, but I ended up restarting the NPS service and then restarting the Duo Auth Proxy service and it started working! Must have had something change that still needed it to restart one more time.

    Happy camper! Thanks for the help!

  • Sometimes magic just happens

Sign In to comment.