10 thoughts on “It’s more like In-ActiveSync!”

  1. Hello,

    I read your detailed article and I want to congrat you for it. I have a problem for almost 10 months with activeSync … I’m starting to go crazy.

    we used Workspace ONE with SEGv1 without any probleme … the probleme started uniquely with segV2.

    1. We use certificate based authentitification
    2. Our F5 proxy get the CN from the user certificate and does SSO Kerberos
    3. after a while we are prompted for authentication, we have a incoming settings with the username, domain, server, client certificate and the authentification failed. Do you already had this issue ?

    If I go on the “http-transaction” log I can get thist message
    “””(vert.x-eventloop-thread-3), Connection between Device and SEG was terminated :: error message – An existing connection was forcibly closed by the remote host, POST,192.168.1.139,null,18503fae-15b5-4893-9377-a915a60cf045,18503fae-15b5-4893-9377-a915a60cf045,fb9b5984-f1b3-4886-b792-792908fded08,D1D8C3896A25499F8ED860EABBE50B77,ACME\xx.xx,Ping,BoxerManagedAndroid,”AirWatch Boxer (SM-G950F; Android 9) Version 5.21.0.3/2023″,true,7,11,0,0,125,0,0,0,0,0,0,0,1602675907738,1001″”””

    On our F5 the timeout session is set to maximum “604800 secondes”

  2. Hi Jon,

    First of all, great article. Second, need your advice on couple of issues I am facing with activesync.

    1. The first sync doesn’t complete when set to 1 month sync and then like you mentioned that device always has issues. What could be causing the first sync not completing and how to force sync it again rather than removing the account and adding it back?
    2. The direct push technology in Exchange 2013 mailbox servers with exchange CAS server with netscaler load balancing and cisco ASA firewall, what are the settings for timeout? Everything is default on the Exchange servers mailbox and CAS so I am guessing I only need to change things on the netscaler and cisco asa.
    3. Do you have any articles for netscaler and Cisco Asa like you have for F5?

    Any help would be good.

    Thanks,
    HP

    1. Hi HP,

      So for #1: the question comes back to what you are doing. How are you securing ActiveSync? ABQ? VMware Secure Email Gateway, etc? Initial sync can be impeded by all sorts of things.

      For #2: The way the heartbeat works is iterative. So, if we say you have something in the DMZ proxying traffic it works like this (For Idle Session Timeout):
      1. External DMZ Load Balancer (30m)
      2. DMZ Server (35m)
      3. Internal Firewall (40m)
      4. Internal Load Balancer (45m)
      5. Internal Servers (50m)

      As you can see, with every single hop, you add 5 minutes typically. Things that can impact the heartbeat include Firewalls, Servers, Load Balancers, and even Routers.

      On #3 there, the ASAs you should review this here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.html. Typically on your ASA, you need to account for the global session timeout and TCP timeouts. As far as netscaler goes, this article is good: https://www.citrix.com/content/dam/citrix/en_us/documents/guide/deploying-netscaler-with-microsoft-exchange-2016.pdf

    1. Are you running a cluster? That might be why that setting is being overwritten.

      Have you opened a a ticket with their support team to see what the supported way of increasing the serverTimeoutInMillis? I’m emailing their PM now.

  3. Hi Jon,
    thank you for the detailed description.
    I have trouble with some iPhones, sometimes they stop receiving mail in native mailapp.
    I’m using SEG V2 vers. 2.9
    Do you know how to configure the timout-values in SEG V2?

    1. Do you have your idle session timeouts configured properly from client to server?

      The idea is that your first hop needs to have a 30m timeout and grows in (e.g. Load balancer would have a 30m timeout, SEG would be 35m, firewall would be 40m, F5 45m, Exchange Server 50m etc). One of the biggest issues you run into is if something besides exchange closes the long-lived connection it may result in server issues e.g. email resync, 500 errors, etc

      1. Thanks for your reply!

        Exchange-Server has standard-configuration in web.config:
        “MinHeartbeatInterval” value=”60″
        “MaxHeartbeatInterval” value=”3540″
        “HeartbeatSampleSize” value=”200″
        “HeartbeatAlertThreshold” value=”540″

        We’re using Kemp-LB with 2100 sec. session-timeout and “least connection”.

        But we can’t change the session timeout of SEG V2 – it seems it can be configured in config.json-file:

        “emailServerConfig” : {
        “serverHostAndPort” : “https://activesync.domain.com:443”,
        “serverTimeoutInMillis” : 1200000,
        “serverConnectionPoolSize” : 25000,
        “ignoreSslErrorsWithExch” : false,
        “emailType” : “EXCHANGE”

        I tried to set the timeout-value to “2700000” – but any changes in this file will be overwritten by the SEG-Service.

        I see in SEG app.log the entry below and on Exchange-Serverlog a lot of “NMstolen” and 1040 Event-Logs (ActiveSync push-Warnings)

        2019-01-21 16:23:14.652 ERROR (vert.x-eventloop-thread-0) [c.a.s.h.EmailResponseHelper] – Error serving email request for device [DeviceId=very-long-Devide-ID,DeviceType=iPhone,User=unername@domain.com,TransactionId=efe4f4c4-d6b1-4c56-98aa-955f654f8e8e,Cmd=Ping,MailClient=Apple-iPhone9C3/1603.101] URI /Microsoft-Server-ActiveSync?User=unername@domain.com&DeviceId=very-long-Devide-ID&DeviceType=iPhone&Cmd=Ping, query User=unername@domain.com&DeviceId=very-long-Devide-ID&DeviceType=iPhone&Cmd=Ping, method POST
        java.util.concurrent.TimeoutException: The timeout period of 1200000ms has been exceeded while executing POST /Microsoft-Server-ActiveSync?User=unername%40domain.com&DeviceId=very-long-Devide-ID&DeviceType=iPhone&Cmd=Ping for host activesync.domain.com
        at io.vertx.core.http.impl.HttpClientRequestBase.timeout(HttpClientRequestBase.java:183)
        at io.vertx.core.http.impl.HttpClientRequestBase.handleTimeout(HttpClientRequestBase.java:168)
        at io.vertx.core.http.impl.HttpClientRequestBase.lambda$setTimeout$0(HttpClientRequestBase.java:126)
        at io.vertx.core.impl.VertxImpl$InternalTimerHandler.handle(VertxImpl.java:870)
        at io.vertx.core.impl.VertxImpl$InternalTimerHandler.handle(VertxImpl.java:829)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:344)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:403)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
        at java.lang.Thread.run(Unknown Source)
        2019-01-21 16:23:14.652 ERROR (vert.x-eventloop-thread-0) [c.a.s.h.EmailResponseHelper] – Response to device is (status code 400, status message The timeout period of 1200000ms has been exceeded while executing POST /Microsoft-Server-ActiveSync?User=unername%40domain.com&DeviceId=very-long-Devide-ID&DeviceType=iPhone&Cmd=Ping for host activesync.domain.com). Device [DeviceId=very-long-Devide-ID,DeviceType=iPhone,User=unername@domain.com,TransactionId=efe4f4c4-d6b1-4c56-98aa-955f654f8e8e,Cmd=Ping,MailClient=Apple-iPhone9C3/1603.101]
        2019-01-21 16:23:14.652 ERROR (vert.x-eventloop-thread-0) [c.a.s.u.HeadersLogger] – efe4f4c4-d6b1-4c56-98aa-955f654f8e8e – DEVICE_REQUEST headers::
        Host : seg1.domain.com
        MS-ASProtocolVersion : 16.1
        Accept-Encoding : br, gzip, deflate
        Cookie : X-BackEndCookie=”S-1-5-21-169686320-456479945-464344438-92648=u56Lnp2ejJqBysjJzMnMysnSmczGy9LLzMmb0s -> header actual length : 151
        Connection : keep-alive
        Accept : */*
        User-Agent : Apple-iPhone9C3/1603.101
        Content-Length : 0
        Accept-Language : en-us
        X-MS-PolicyKey : 2491819913

Leave a Reply

Scroll to Top
%d bloggers like this: