Push notification to apple devices

pnunan · ‎05-08-2020

Starting sometime in the last 24 hours push notifications to Apple devices stopped working. Phone never displays the prompt, entering token works fine. Push is working on android devices. We are seeing the FAC send the push notice and waiting for reply. We are seeing the outbound traffic on the edge Gate, no return traffic except for android devices. Anyone else seeing this issue?

I would like to see if this is a larger issue or something internal to us.

Thank you in advance for your input.

Phil

lynx · ‎05-11-2020

I noticed the same this morning. Android devices get the push notifications just fine, but iOS devices do not get the notification. FAC sends the notice to Apple APN successfully, but it doesn't arrive to the end device (tested with two different iOS devices with different iOS versions). Probably something bigger and very annoying.

pnunan · ‎05-11-2020

Contact TAC there is apparently a change at apple that effects certain Firmware on FAC. A none intrusive update appears to have corrected the issue.

lynx · ‎05-12-2020

Lucky you, that you got this issue solved easily.

I raised a ticket and even if it's obvious from the PCAP done on FAC, that FAC tries to authenticate to Apple APN with a revoked certificate and gets rejected (while our FortiGate renewed the certs on 8th of May and probably push notification from FAC started failing since then), the consultant assigned to the ticket fails to give a proper advice (asking about firewall policies, asking to do some voodoo magic on APN certificates residing on FortiGate, etc.).

And I am a bit hesitant to do any upgrades on my own yet, but it is quite annoying. Well, let's see how it finally turns out.

emnoc · ‎05-12-2020

"with a revoked certificate and gets rejected"

If that is true why can't you reissue the certificate? And is this the provider or APN certificate that your talking about here in this example.

Ken Felix

PCNSE

NSE

StrongSwan

lynx · ‎05-12-2020

It's the APN certificate. I am not sure how FAC should renew it.

FortiGate updates APN certs automatically, or if it doesn't you can just rename the old ones and it re-downloads them from FortiGuard.

As it's one image per post, firstly I attach the PCAP itself, where the alert is visible. Communication from FAC outside interface to Apple APN. The alert is clearly visible after FAC attempts to identify itself. In the next post I will attach the extracted cert itself.

lynx · ‎05-12-2020

Here's the screenshot of the cert, presented by FAC to Apple.

emnoc · ‎05-12-2020

I'm lost that cert is NOT expired, but back on APN can you restroke a CSR and import the new APN certificate and not use a any automate process? You should have a provider and APN certificate in the mutual ssl negotiation iirc

Ken Felix

PCNSE

NSE

StrongSwan

lynx · ‎05-12-2020

It's not expired by date, but it's probably revoked on Apple's side (as the alert says).

And it looks like in FAC I cannot manage the actual APN certificates so easily (or there are some hidden commands, whatsoever). Just like in FGT, the APN certs are not visible under "normal" certificate list and they are auto-updated by FortiGuard. It's not something manageable by users and requested by them. It's not like I own some custom server and can easily request a push notification cert from Apple.

emnoc · ‎05-12-2020

I wonder about that last part, I believe yo can craft a APN-CSR and submitted into the APN develop whatever and get back a certificate but haven't played with the FortiAuth enough in that area. IIRC they had a tool to check if your certificate was revoked btw

PCNSE

NSE

StrongSwan