@vijithv,   First, firewalls can easily block UDP and allow TCP.  I mentioned that was a possible cause. Also, depending on how you have your /etc/krb5.conf configured, a different KDC could have been contacted.   You can see distinctly in the failure via UDP that there is a socket timeout for each attempt to connect to the KDC.  This is a failure at the networking side where a client cannot connect to a server.  Since no connection was ever made via UDP, there was no change for it to know to try TCP.  That "switching" is done based on a response of KRB5KRB_ERR_RESPONSE_TOO_BIG I believe so if no response is made, no "switching" to TCP will occur.   If you really want to get to the bottom of this, recreate the problem while capturing packets via tcpdump like this:   # tcpdump -i any -w ~/kerberos_broken.pcap port 88   Then, with the problem fixed reproduce again while capturing packets:   # tcpdump -i any -w ~/kerberos_fixed.pcap port 88   Use Wireshark (it does a great job of decoding Kerberos packets) and you will be able to see the entire interaction. This will show us information to help determine the cause. Wireshark is here:  https://www.wireshark.org/     ... View more