analyzing failed exchange activesync captures

asked 2021-06-07 17:35:19 +0000

TeraBill
1 ●1

Hi. This is my first post here.

I have a problem with our new Exchange implementation in that it does not work with iPhones (which we need because all our company cell phones are iphones). The symptom is identical to what is described here: https://community.spiceworks.com/topic/2093582-no-activesync-on-ios11-since-migration-to-exchange-2016. The simple explanation is everything works for all users except opening and sending mail from an iphone (android phones work). The above poster used wireshark to determine the problem. Now I am trying to analyze my wireshark results to determine if I have the same root cause as the above post. If so I will pursue the same solution as him. If not hopefully this analysis will point to what I need to do for a solution.

I am not too sure about what to show here inline so I will try attaching 2 small capture files. Hmm, I need 60 points to add attachments. OK, so then here they are in a shared onedrive folder https://1drv.ms/u/s!AlDOlMFUUMwVhXOLu4Halp7B6Eh2?e=MIy1Ip. There are 2 files there at this point, androidCheckMail-002.pcapng and iphoneCheckMail-002.pcapng. Both of them are phones doing the same thing: refreshing the inbox. Android is the one that works and the iphone is the one that does not work. what stands out to me is that the android one has a bunch of "[PSH, ACK]" and the iphone one has none.

I don't know how to prefilter a packet trace so these files have all traffic (which is actually very little on that network path and it is only port 443). You will have to apply the filter "ip.addr ==209.52.88.23" on the android file and "ip.addr ==209.52.88.185" on the iphone file. They are both communicating with the same exchange server which is 10.0.25.49.

I appreciate any help I can get in analyzing these packet traces. And now I realize these may not be the best traces because they are simply refershing the inbox and the iphone does appear to that correctly (it displays the complete list of emails in the inbox). What it doe not do is it does not open an email to view and it does not send. So I will take some more captures of email open and send of both devices to see what's different

edit retag flag offensive close merge delete

add a comment

answered 2021-06-07 18:48:25 +0000

TeraBill
1 ●1

I have now added 2 more files to the fileshare at https://1drv.ms/u/s!AlDOlMFUUMwVhXOLu4Halp7B6Eh2?e=MIy1Ip.. They are androidReadMail.pcapng and iphoneReadMail.pcapng. They both have a recently updated inbox with one new unread message. I start the trace just before opening the message to view it. This time the android is 209.52.88.56 and the iphone is 209.52.88.240. Sorry but they get new IP addrs each time I move the SIM card from one device to the other.

The Android of course is working and opens the message for me. The iphone tries to open but where the body of the email would normally be is just a message saying "This message has not been downloaded from the server."

So, now, while I wait to see if anyone has some clues for me, I will go about studying tutorials on understanding wireshark captures. I do have a good understanding of networking (even certified as CCNA a few years back) but I don't know any details of TLS negotiation or have much practice in knowing what to look for in IP packet headers.

edit flag offensive delete link

add a comment

analyzing failed exchange activesync captures

1 Answer

Your Answer

Question Tools

Stats

Related questions

analyzing failed exchange activesync captures edit

1 Answer