This article describes an issue where the authentication service that uses UDP Kerberos is being dropped by the Check Point Firewall.UDP kerberos authentication is being dropped with the following message in
fw ctl debug:
[fw];fw_log_drop: Packet proto=17 x.x.x.x:x -> x.x.x.x:88 dropped by fwchain_frag Reason: wait for more fragments;
This can impact the authentication service with latency, or it may cause it not to work at all.
When using UDP Kerberos authentication, specially thru VPN tunnels, traffic might be dropped by Check Point Firewall.
This is caused by different maximum size of datagram packets for Windows based systems as described by the referenced Check Point solution sk36679.
Check Point recommends changing the authentication type from UDP Kerberos to TCP Kerberos per solution sk36679.