I have an exchange 2016 DAG on premise published with the XG SFOS 17.0.5 MR-5 using WAF, not NAT-D. Everything has been working fine for several weeks following the deployment of the XG in my network with the exception of Macintosh Outlook clients. When those users compose an email and hit send the client disconnects with "General Error 998" and the email sits in the outbox until they force a reconnection where the email will then send.
I removed the IPS from the Exchange publishing rule and it didn't have any effect on the behavior. I dont see anything in the WAF logs indicating a failure of any kind, however when this occurs I see several entries in the firewall log appear from the client's IP for INVALID TCP RST and the rule ID for my exchange publishing rule. So I took a TCP Dump from the client and ended the dump when the disconnect occurred. The capture shows 10 TCP [RST] entries from the WAN IP for the exchange publishing rule and then a second later the capture ends so I am pretty sure these are causing the Mac client to disconnect or at least its causing the XG to drop the connection.
Am I missing something in the very cryptic and overly complicated web protection rule for this Exchange publishing that would affect only Macintosh clients that anyone has come across? Windows Outlook [anywhere], OWA, iPhone/iPAD and a myriad of Android devices seemingly have no issues.
Here is a single entry from the client dump
1188 54.368278 123.123.123.123 172.16.0.70 TCP 54 443 → 49900 [RST] Seq=87451 Win=0 Len=0
And a single entry from the firewall log in the XG from this client when the disconnect occurred.
messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="8" policy_type="3" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="45.55.65.75" src_country="" dst_ip="123.123.123.123" dst_country="" protocol="TCP" src_port="50500" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature"
Any insights as to what's happening here would be appreciated.
Thank you,
Jason
This thread was automatically locked due to age.
