We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.
Main office has a Fortigate 200. Outlaying offices both have Fortigate 100E. A site-to-site tunnel connects everything. When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly. When we go to office A with the same iPhone, everything works fine. When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address). We're able to ping the server just fine. If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.
Sniffer logs show the Client Hello going from the iPhone to the Exchange server. Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).
Again - the same iPhone will work in our other locations just fine. It's only this ONE location that is having issues.
Has anyone experienced something similar? Does anyone know of any magic setting in the 100E that may need to be changed? Is there a way to use the 100E to find out what happens to the traffic?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Graham,
Thank you SO MUCH for your help. I change the MTU to 1380 and it worked, although I had to use commands that differed from yours since they didn't seem to have effect:
config system interface
edit <VPN INTERFACE>
set mtu 1380
end
That was after I was in the interface and did set mtu-override enable and tried the tcp-mss 1380 but that didn't work. Running set mtu 1380 did though.
Is the way I implemented the change going to work long term without affecting other traffic?
Created on 09-22-2022 08:27 AM Edited on 09-22-2022 08:28 AM
Hey there yeah setting MTU is a good idea too. However, not all connections/devices will recognize the lower MTU and might still send packets that are too big. If it's working for you, great.
I would suggest a combo play: set MSS to 1380 and MTU to 1420. See how that works. Having only MTU set might cause delays/timeouts for some traffic still.
Is the WAN connection a PPPoE or similar connection with extra overhead? If so you might want to manuall set the MTU on the WAN link as well...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.