Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac Outlook to Exchange disconnects on mail send

I have an exchange 2016 DAG on premise published with the XG SFOS 17.0.5 MR-5 using WAF, not NAT-D. Everything has been working fine for several weeks following the deployment of the XG in my network with the exception of Macintosh Outlook clients. When those users compose an email and hit send the client disconnects with "General Error 998" and the email sits in the outbox until they force a reconnection where the email will then send. 

I removed the IPS from the Exchange publishing rule and it didn't have any effect on the behavior. I dont see anything in the WAF logs indicating a failure of any kind, however when this occurs I see several entries in the firewall log appear from the client's IP for INVALID TCP RST and the rule ID for my exchange publishing rule. So I took a TCP Dump from the client and ended the dump when the disconnect occurred. The capture shows 10 TCP [RST] entries from the WAN IP for the exchange publishing rule and then a second later the capture ends so I am pretty sure these are causing the Mac client to disconnect or at least its causing the XG to drop the connection.

Am I missing something in the very cryptic and overly complicated web protection rule for this Exchange publishing that would affect only Macintosh clients that anyone has come across? Windows Outlook [anywhere], OWA, iPhone/iPAD and a myriad of Android devices seemingly have no issues.

Here is a single entry from the client dump

1188 54.368278 123.123.123.123 172.16.0.70 TCP 54 443 → 49900 [RST] Seq=87451 Win=0 Len=0

And a single entry from the firewall log in the XG from this client when the disconnect occurred.

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="8" policy_type="3" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="45.55.65.75" src_country="" dst_ip="123.123.123.123" dst_country="" protocol="TCP" src_port="50500" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature"

Any insights as to what's happening here would be appreciated.

Thank you,

Jason



This thread was automatically locked due to age.
Parents
  • I am pretty sure that we are using MAPI over HTTP with Outlook connected to our Exchange 2016 DAG. The failures are intermittent and upon reconnect it passes the traffic successfully so whatever is going on I believe it is related to the WAF content inspection for the server protection policy. I would suspect that the Macintosh TCP stack is handling TLS session tear downs in a way that leads the XG to spit out a bunch of these Invalid TCP RST warnings and dump the connection. I opened a case with Sophos support so maybe one of their engineers can look at my wireshark and see if they see something that they know causes this.

     

    I'll make sure to update this when I get some traction.

  • Did you ever get an update on this issue? 

    I have the same problem with mac outlook client using Gmail. I get alot " Could not associate packet to any connection." when trying to connect to Gmail on port 443.

  • I don't have that issue anymore, but have a new one where my wife's outlook looses the password on one account. Doesn't happen on mac mail.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • I don't have that issue anymore, but have a new one where my wife's outlook looses the password on one account. Doesn't happen on mac mail.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data