I was wondering if anyone else has seen the following behaviour and knows how to resolve / work around?
We have a number of iOS devices that we are trying to setup with Always-on VPN to provide the security and ease of use for clients.
The setup is the following:
- iOS devices ranging from 9.3 to 10.2
- IKEv2 VPN Using certification and EAP, connecting to MS RRAS boxes and NPS
- Cellular and Wifi Connectivity as normal.
- Profiles are pushed from the device management system to enable relevant settings for the VPN and the certificates as a paylod.
- Traffic from the device is routed so that all traffic goes via the VPN to the internal systems and any traffic destined for the Apple servers on 18.104.22.168/8 is sent directly out using an unproxied connection - this is to avoid any problems with web proxies / filters.
The issues we have are as follows:
- VPN connects and works as designed - good start. We can send traffic to and from the device and use it as expected.
- When the device initially powers on we can see it connect to the VPN and then check in with Apples servers using Port 5223. Two way communcation works and we can push notifications to the device - this tends to work consistently until the device is placed either on standby or powered off.
- once the device is brought out of standby, it appears to still have the VPN connection (according to the VPN icon on the display) and typically this does reconnect yet push notifications will fail. Interestingly this at this point it will quite often actually get a new IP address from the server.
- When we look at the traffic at this point we see that it's attempting to check in with Apple's servers, again on 5223, but there is no reply that seems to come back and hence push notifications fail.
- We can replicate this behaviour on the device when it's powered on by switching between cellular and wifi connections. The inital connection (typically) will check in with Apple's servers however when changing between connections it fails, we see the device trying to reconnect to the APNs servers and then gets no response.
When we repeat this process on a device that does not have the VPN profile applied, we get similar behaviour. This seems to suggest that there is some process in APNS servers that identifies the device and it's IP?
Other oddities seem to be
- randomly the device will show that it has a VPN connection (icon showing on either cellular or wifi) yet the VPN server does not have an established connect - at this point the only way to resolve this is to power the device off and on once more.
- If the device has 2 connections (cell and wifi) this then creates x2 VPN tunnels to the server.
- the device does not appear to "reconnect" the VPN, even after a short disconnecton (which I feel is contrary to what it should) and seems to re-create a connection tunnel rather than re-use the existing - there is a 15 minute timeout on the server so this functionality is available.
- Switching on airplane mode will sometimes re-produce the same issues, however not consistently.
Any ideas anyone has will be gratefully recieved.