if you compare the servers outgoing packet dump and clients incoming packet dump, you'll see that the "invalid challenge packet" packet the client receives does not originate from the server. this is probably due to someone somehow getting IPs of the clients that are connected to the server and sending an IP spoofed udp "invalid challenge packet" packet to those IPs on the default clientport 27005. thats why the problem vanishes when clients change their port from 27005 to something else