Hot!Push notification to apple devices

Author
pnunan
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/08 07:30:37
  • Status: offline
2020/05/08 07:41:28 (permalink)
0

Push notification to apple devices

Starting sometime in the last 24 hours push notifications to Apple devices stopped working. Phone never displays the prompt, entering token works fine. Push is working on android devices. We are seeing the FAC send the push notice and waiting for reply. We are seeing the outbound traffic on the edge Gate, no return traffic except for android devices. Anyone else seeing this issue?
I would like to see if this is a larger issue or something internal to us.
 
Thank you in advance for your input.
Phil
#1

13 Replies Related Threads

    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/11 01:25:55 (permalink)
    0
    I noticed the same this morning. Android devices get the push notifications just fine, but iOS devices do not get the notification. FAC sends the notice to Apple APN successfully, but it doesn't arrive to the end device (tested with two different iOS devices with different iOS versions). Probably something bigger and very annoying. 
    #2
    pnunan
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/08 07:30:37
    • Status: offline
    Re: Push notification to apple devices 2020/05/11 05:19:37 (permalink)
    0
    Contact TAC there is apparently a change at apple that effects certain Firmware on FAC. A none intrusive update appears to have corrected the issue.
    #3
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:05:21 (permalink)
    2 (1)
    Lucky you, that you got this issue solved easily.
     
    I raised a ticket and even if it's obvious from the PCAP done on FAC, that FAC tries to authenticate to Apple APN with a revoked certificate and gets rejected (while our FortiGate renewed the certs on 8th of May and probably push notification from FAC started failing since then), the consultant assigned to the ticket fails to give a proper advice (asking about firewall policies, asking to do some voodoo magic on APN certificates residing on FortiGate, etc.).
     
     
    And I am a bit hesitant to do any upgrades on my own yet, but it is quite annoying. Well, let's see how it finally turns out. 
    #4
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:11:53 (permalink)
    0
        "with a revoked certificate and gets rejected"
     
    If that is true why can't you reissue the certificate? And is this  the provider or APN certificate that your talking about here in this example.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #5
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:24:55 (permalink)
    2 (1)
    It's the APN certificate. I am not sure how FAC should renew it.
    FortiGate updates APN certs automatically, or if it doesn't you can just rename the old ones and it re-downloads them from FortiGuard. 
    As it's one image per post, firstly I attach the PCAP itself, where the alert is visible. Communication from FAC outside interface to Apple APN. The alert is clearly visible after FAC attempts to identify itself. In the next post I will attach the extracted cert itself. 
     

    Attached Image(s)

    #6
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:26:02 (permalink)
    0
    Here's the screenshot of the cert, presented by FAC to Apple. 

    Attached Image(s)

    #7
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:43:02 (permalink)
    0
    I'm lost that cert is NOT expired, but back on APN can you restroke a CSR and import the new APN certificate and not use a any automate  process? You should have a provider and APN certificate in the mutual ssl negotiation iirc
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #8
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 07:53:20 (permalink)
    0
    It's not expired by date, but it's probably revoked on Apple's side (as the alert says).
    And it looks like in FAC I cannot manage the actual APN certificates so easily (or there are some hidden commands, whatsoever). Just like in FGT, the APN certs are not visible under "normal" certificate list and they are auto-updated by FortiGuard. It's not something manageable by users and requested by them. It's not like I own some custom server and can easily request a push notification cert from Apple. 
    #9
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Push notification to apple devices 2020/05/12 08:01:38 (permalink)
    0
    I wonder about that last part, I believe yo can craft a APN-CSR and submitted into the APN develop whatever and get back a certificate but haven't played with the FortiAuth enough in that area. IIRC they had a tool to check if your certificate was revoked btw

    PCNSE 
    NSE 
    StrongSwan  
    #10
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/13 01:40:10 (permalink)
    0
    After all, just like in the post author's case, there had to be a FAC non-intrusive debug kit installed and it fixed the cert presented to Apple APN by FAC. Push notifications for iOS happilly work again. 
    #11
    tanr
    Platinum Member
    • Total Posts : 789
    • Scores: 36
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Push notification to apple devices 2020/05/13 08:00:02 (permalink)
    0
    What was installed on the FAC that fixed this?  Was this something from TAC, a firmware update, or something else?
    #12
    lynx
    New Member
    • Total Posts : 11
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/04/28 06:20:21
    • Status: offline
    Re: Push notification to apple devices 2020/05/13 08:02:10 (permalink)
    0
    Yes, it was installed on FAC through firmware update dialogue, but it didn't cause any reboot, so service wasn't disrupted. The file was provided by TAC and had extension of .dgb (debug kit). 
    #13
    tanr
    Platinum Member
    • Total Posts : 789
    • Scores: 36
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Push notification to apple devices 2020/05/13 08:04:09 (permalink)
    0
    Thanks for clarifying.
    #14
    Jump to:
    © 2020 APG vNext Commercial Version 5.5