Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
backpackdam
New Contributor

Unable to get iPhone mail via WiFi on FortiGate 100E

We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.

 

Main office has a Fortigate 200.  Outlaying offices both have Fortigate 100E.  A site-to-site tunnel connects everything.  When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly.  When we go to office A with the same iPhone, everything works fine.  When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address).  We're able to ping the server just fine.  If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.

 

Sniffer logs show the Client Hello going from the iPhone to the Exchange server.  Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).

 

Again - the same iPhone will work in our other locations just fine.  It's only this ONE location that is having issues.

 

Has anyone experienced something similar?  Does anyone know of any magic setting in the 100E that may need to be changed?  Is there a way to use the 100E to find out what happens to the traffic?

11 REPLIES 11
Anthony_E
Community Manager
Community Manager

Hello backpackdam,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
akumarr
Staff
Staff

Dear Customer.
May I know whether the Iphone on Site B is connected to the Fortigate by WIFI or do you have SSL VPN connection?

Best regards,
ARUNKUMAR.R.
backpackdam

The iPhone at site B connects to a WiFi AP that is connected to the 100E.  The 100E connects back to our HQ via an SSL VPN tunnel.  This is the same method used at Site A.  While we're fairly sure the configuration is the same, we're not sure if there is a setting somewhere on Site B that is different and don't know where to look since we can't determine what the actual problem is.

backpackdam
New Contributor

**UPDATE** - we had a (known) subscription to the Next Gen Fire Wall (NGFW) service that lapsed on Saturday the 17th.  We let it lapse on purpose to see if the iPhones at site B would connect.  We verified with users on-site yesterday (Sep 19) that the iPhones were in fact working like they do at our other locations.

 

Today, we followed up with them and the iPhones are back to failing like the were last week and every day before that.

 

Is there an AI/learning algorithm somewhere that may be learning and then blocking iPhone mail traffic?  It also blocks traffic to our OWA page in Safari.

gfleming

Let's ignore the mail client and underlying protocols for now. Let's just work with OWA. So an iPhone cannot connect to OWA using Safari. But an Android device can connect using Chrome?

 

What do the logs show for both connetions? Any errors for the iphone connection?

 

What security profiles do you have enabled on the FortiGate at Office B that would affect the iPhone traffic heading towards the Exchange server? Are you doing SSL inspection?

 

What appears on the iPhone? Do you get an error message? Does the error pop up immediately or does it time out?

Cheers,
Graham
backpackdam

Correct - an iPhone cannot connect to OWA via Safari but an Android will get there via Chrome.  A Windows laptop will also get to OWA via Chrome.

 

Not sure where to look for errors for the iPhone connection.  PCAP shows that the iPhone never receives a Server Hello / key exchange.  It doesn't time out immediately but after 30-45 seconds?

 

Site B is doing traffic inspection but so is Site A.  There is an IPS/IDS enabled but it isn't actively preventing traffic.

 

If you have some suggestions for where I should look for settings/logs/etc, I'm able to do that real quick.

 

All of the PCAPs we have are attached to our Fortinet Support ticket if you have access to those (I'll send you the number if you do!).

 

Thanks for all of your help so far!

gfleming

Sure what is the ticket #?

 

Some more basic questions, can you download iNetTools on the iPhone and see if you can connect on port 443 to the OWA server?

Cheers,
Graham
backpackdam

The ticket number is 7551398.

 

It is hard for us to set up a test for this as the office having the issue is ~2.5 hours away and there is no tech staff to support testing.  There are several PCAPs there that show good connection/bad connection from Site A and then a good connection from Site B.  It doesn't matter the iPhone model or iOS version - all iPhones behave the same way.  When on WiFi, we are able to reach out to the wider internet and browse like normal.  It's just the connection to our Exchange server that doesn't work.

 

Are there settings that we can check at our HQ either on our iPhone or on the 100E?

gfleming

Looks very much like an issue with fragmentation. What is your WAN link type? PPPoE or something?

 

You can probably mitigate this by setting the TCP-MSS size on the remote FortiGate's VPN interface. Given the fragments are sized at 1434 I would suggest setting TCP-MSS at 1380 and see how that works out for you.

 

config system interface
edit <VPN INTERFACE>
set tcp-mss 1380
end

 

Cheers,
Graham