We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.
Main office has a Fortigate 200. Outlaying offices both have Fortigate 100E. A site-to-site tunnel connects everything. When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly. When we go to office A with the same iPhone, everything works fine. When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address). We're able to ping the server just fine. If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.
Sniffer logs show the Client Hello going from the iPhone to the Exchange server. Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).
Again - the same iPhone will work in our other locations just fine. It's only this ONE location that is having issues.
Has anyone experienced something similar? Does anyone know of any magic setting in the 100E that may need to be changed? Is there a way to use the 100E to find out what happens to the traffic?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello backpackdam,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Dear Customer.
May I know whether the Iphone on Site B is connected to the Fortigate by WIFI or do you have SSL VPN connection?
The iPhone at site B connects to a WiFi AP that is connected to the 100E. The 100E connects back to our HQ via an SSL VPN tunnel. This is the same method used at Site A. While we're fairly sure the configuration is the same, we're not sure if there is a setting somewhere on Site B that is different and don't know where to look since we can't determine what the actual problem is.
**UPDATE** - we had a (known) subscription to the Next Gen Fire Wall (NGFW) service that lapsed on Saturday the 17th. We let it lapse on purpose to see if the iPhones at site B would connect. We verified with users on-site yesterday (Sep 19) that the iPhones were in fact working like they do at our other locations.
Today, we followed up with them and the iPhones are back to failing like the were last week and every day before that.
Is there an AI/learning algorithm somewhere that may be learning and then blocking iPhone mail traffic? It also blocks traffic to our OWA page in Safari.
Created on 09-20-2022 01:49 PM Edited on 09-20-2022 01:50 PM
Let's ignore the mail client and underlying protocols for now. Let's just work with OWA. So an iPhone cannot connect to OWA using Safari. But an Android device can connect using Chrome?
What do the logs show for both connetions? Any errors for the iphone connection?
What security profiles do you have enabled on the FortiGate at Office B that would affect the iPhone traffic heading towards the Exchange server? Are you doing SSL inspection?
What appears on the iPhone? Do you get an error message? Does the error pop up immediately or does it time out?
Correct - an iPhone cannot connect to OWA via Safari but an Android will get there via Chrome. A Windows laptop will also get to OWA via Chrome.
Not sure where to look for errors for the iPhone connection. PCAP shows that the iPhone never receives a Server Hello / key exchange. It doesn't time out immediately but after 30-45 seconds?
Site B is doing traffic inspection but so is Site A. There is an IPS/IDS enabled but it isn't actively preventing traffic.
If you have some suggestions for where I should look for settings/logs/etc, I'm able to do that real quick.
All of the PCAPs we have are attached to our Fortinet Support ticket if you have access to those (I'll send you the number if you do!).
Thanks for all of your help so far!
Sure what is the ticket #?
Some more basic questions, can you download iNetTools on the iPhone and see if you can connect on port 443 to the OWA server?
The ticket number is 7551398.
It is hard for us to set up a test for this as the office having the issue is ~2.5 hours away and there is no tech staff to support testing. There are several PCAPs there that show good connection/bad connection from Site A and then a good connection from Site B. It doesn't matter the iPhone model or iOS version - all iPhones behave the same way. When on WiFi, we are able to reach out to the wider internet and browse like normal. It's just the connection to our Exchange server that doesn't work.
Are there settings that we can check at our HQ either on our iPhone or on the 100E?
Created on 09-21-2022 03:49 PM Edited on 09-21-2022 03:51 PM
Looks very much like an issue with fragmentation. What is your WAN link type? PPPoE or something?
You can probably mitigate this by setting the TCP-MSS size on the remote FortiGate's VPN interface. Given the fragments are sized at 1434 I would suggest setting TCP-MSS at 1380 and see how that works out for you.
config system interface
edit <VPN INTERFACE>
set tcp-mss 1380
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.