Unable to get iPhone mail via WiFi on FortiGate 100E
We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.
Main office has a Fortigate 200. Outlaying offices both have Fortigate 100E. A site-to-site tunnel connects everything. When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly. When we go to office A with the same iPhone, everything works fine. When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address). We're able to ping the server just fine. If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.
Sniffer logs show the Client Hello going from the iPhone to the Exchange server. Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).
Again - the same iPhone will work in our other locations just fine. It's only this ONE location that is having issues.
Has anyone experienced something similar? Does anyone know of any magic setting in the 100E that may need to be changed? Is there a way to use the 100E to find out what happens to the traffic?
The iPhone at site B connects to a WiFi AP that is connected to the 100E. The 100E connects back to our HQ via an SSL VPN tunnel. This is the same method used at Site A. While we're fairly sure the configuration is the same, we're not sure if there is a setting somewhere on Site B that is different and don't know where to look since we can't determine what the actual problem is.
**UPDATE** - we had a (known) subscription to the Next Gen Fire Wall (NGFW) service that lapsed on Saturday the 17th. We let it lapse on purpose to see if the iPhones at site B would connect. We verified with users on-site yesterday (Sep 19) that the iPhones were in fact working like they do at our other locations.
Today, we followed up with them and the iPhones are back to failing like the were last week and every day before that.
Is there an AI/learning algorithm somewhere that may be learning and then blocking iPhone mail traffic? It also blocks traffic to our OWA page in Safari.
It is hard for us to set up a test for this as the office having the issue is ~2.5 hours away and there is no tech staff to support testing. There are several PCAPs there that show good connection/bad connection from Site A and then a good connection from Site B. It doesn't matter the iPhone model or iOS version - all iPhones behave the same way. When on WiFi, we are able to reach out to the wider internet and browse like normal. It's just the connection to our Exchange server that doesn't work.
Are there settings that we can check at our HQ either on our iPhone or on the 100E?
Looks very much like an issue with fragmentation. What is your WAN link type? PPPoE or something?
You can probably mitigate this by setting the TCP-MSS size on the remote FortiGate's VPN interface. Given the fragments are sized at 1434 I would suggest setting TCP-MSS at 1380 and see how that works out for you.
config system interface edit <VPN INTERFACE> set tcp-mss 1380 end