Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 10041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac Outlook to Exchange disconnects on mail send

Jason Vorbeck

I have an exchange 2016 DAG on premise published with the XG SFOS 17.0.5 MR-5 using WAF, not NAT-D. Everything has been working fine for several weeks following the deployment of the XG in my network with the exception of Macintosh Outlook clients. When those users compose an email and hit send the client disconnects with "General Error 998" and the email sits in the outbox until they force a reconnection where the email will then send. 

I removed the IPS from the Exchange publishing rule and it didn't have any effect on the behavior. I dont see anything in the WAF logs indicating a failure of any kind, however when this occurs I see several entries in the firewall log appear from the client's IP for INVALID TCP RST and the rule ID for my exchange publishing rule. So I took a TCP Dump from the client and ended the dump when the disconnect occurred. The capture shows 10 TCP [RST] entries from the WAN IP for the exchange publishing rule and then a second later the capture ends so I am pretty sure these are causing the Mac client to disconnect or at least its causing the XG to drop the connection.

Am I missing something in the very cryptic and overly complicated web protection rule for this Exchange publishing that would affect only Macintosh clients that anyone has come across? Windows Outlook [anywhere], OWA, iPhone/iPAD and a myriad of Android devices seemingly have no issues.

Here is a single entry from the client dump

1188 54.368278 123.123.123.123 172.16.0.70 TCP 54 443 → 49900 [RST] Seq=87451 Win=0 Len=0

And a single entry from the firewall log in the XG from this client when the disconnect occurred.

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="8" policy_type="3" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="45.55.65.75" src_country="" dst_ip="123.123.123.123" dst_country="" protocol="TCP" src_port="50500" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature"

Any insights as to what's happening here would be appreciated.

Thank you,

Jason



This thread was automatically locked due to age.
Parents
  • 0

    I am pretty sure that we are using MAPI over HTTP with Outlook connected to our Exchange 2016 DAG. The failures are intermittent and upon reconnect it passes the traffic successfully so whatever is going on I believe it is related to the WAF content inspection for the server protection policy. I would suspect that the Macintosh TCP stack is handling TLS session tear downs in a way that leads the XG to spit out a bunch of these Invalid TCP RST warnings and dump the connection. I opened a case with Sophos support so maybe one of their engineers can look at my wireshark and see if they see something that they know causes this.

     

    I'll make sure to update this when I get some traction.

  • 0 in reply to Jason Vorbeck

    I'm seeing this on an XG firewall with the latest firmware installed. I confirmed it works fine with Mac mail but Outlook 2016 can't send from a Gmail or an IMAP account hosted with Bluehost. The user can send through his Exchange server just fine. The only thing I see in the logs is what others have mentioned about "could not associate packet to any connection" but I'm also seeing that error for mail servers that people have absolutely no problem with. Is there a solution to this? The mail scanning isn't a service that has a subscription. 

  • 0 in reply to CSC1

    I have the same issue and it must have to do with the scanning of the mail traffic for (IMAPs, SMTPs and POPs).

    I have the issue with mail which isn't transferred to my mail server (on the internet). I have to rewrite the mail or i have to try the resend button manually (isn't working always).

    What i also see, if i open my outlook client that i have a certificate problem. A solution was to add the certificate to my trusted Authorities, it seems that it helpded for a short time but i get it always again.

    These messages are because there is a new certificate from my XG.

    I just added a new question because with a iPhone you will get crazy if you get within seconds a message about a non trusted mail server and then blocks the phone.

    Adding the certificate to the trusted authorities folders didn't really help.

    At the moment i see just the undoing the check of IMAPs, SMTPs and POPs if there is no transparency between a mail client and the mail server. I would not trust a server or client also if there are certificate changes between.

    Wolfgang

  • 0 in reply to Wolfgang Ritter1

    Here's what I think happened. When setting up the new XG Firewall, it activated a trial of all of their services. When it did this, it set the SMTP deployment to MTA mode. Changing this to Legacy mode allowed Outlook 2016 for Mac to send to the problem servers. 

  • FormerMember
    0 FormerMember in reply to CSC1

    Hi ChrisC1,

    When you deploy new XG firewall by default email protection is enabled and the SMTP deployment mode is MTA. It also automatically creates SMTP/SMTPS scanning rule. If you are not going to configure email protection on the firewall, you have to either disable that automatically added rule or change SMTP deployment mode to Legacy. Changing SMTP deployment mode to Legacy will disable that automatically added rule. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember in reply to CSC1

    Hi ChrisC1,

    When you deploy new XG firewall by default email protection is enabled and the SMTP deployment mode is MTA. It also automatically creates SMTP/SMTPS scanning rule. If you are not going to configure email protection on the firewall, you have to either disable that automatically added rule or change SMTP deployment mode to Legacy. Changing SMTP deployment mode to Legacy will disable that automatically added rule. 

    Thanks,

Children
No Data
Unfiltered HTML