Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
backpackdam
New Contributor

Unable to get iPhone mail via WiFi on FortiGate 100E

We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.

 

Main office has a Fortigate 200.  Outlaying offices both have Fortigate 100E.  A site-to-site tunnel connects everything.  When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly.  When we go to office A with the same iPhone, everything works fine.  When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address).  We're able to ping the server just fine.  If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.

 

Sniffer logs show the Client Hello going from the iPhone to the Exchange server.  Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).

 

Again - the same iPhone will work in our other locations just fine.  It's only this ONE location that is having issues.

 

Has anyone experienced something similar?  Does anyone know of any magic setting in the 100E that may need to be changed?  Is there a way to use the 100E to find out what happens to the traffic?

11 REPLIES 11
backpackdam

Graham,

 

Thank you SO MUCH for your help.  I change the MTU to 1380 and it worked, although I had to use commands that differed from yours since they didn't seem to have effect:

 

config system interface
 edit <VPN INTERFACE>
 set mtu 1380
end

  That was after I was in the interface and did set mtu-override enable and tried the tcp-mss 1380 but that didn't work.  Running set mtu 1380 did though.

 

Is the way I implemented the change going to work long term without affecting other traffic? 

gfleming

Hey there yeah setting MTU is a good idea too. However, not all connections/devices will recognize the lower MTU and might still send packets that are too big. If it's working for you, great.

 

I would suggest a combo play: set MSS to 1380 and MTU to 1420. See how that works. Having only MTU set might cause delays/timeouts for some traffic still.

 

Is the WAN connection a PPPoE or similar connection with extra overhead? If so you  might want to manuall set the MTU on the WAN link as well...

Cheers,
Graham