V17 MR5 and failures

Good day Ian,

I have several Macs, PCs, iPads and iPhones on my home network along with ATVs and Android boxes.  After upgrading to MR5 last night, I've had no issues other than the longer than expected reboot time for the XG.  

For me, IPv6 appears to have been improved in MR5 at least for my Apple devices which all connect seamlessly via IPv6 now.

It would be helpful giving a few details about the configuration in use for those who have had issues resulting from an upgrade, or issues resolved from an upgrade.

We know that web filtering was previously causing issues with Microsoft and Apple Updates because of the way they download updates.  So, it would be helpful when someone reports an issue, or resolution whether they are using web filtering or not in the policy.  It would also be helpful if web filtering is enabled and causing issues, to attempt disabling it and see if the same issue occurs.  If disabling web filtering is still the workaround, then this should be reported to support so the final issues can be resolved with web filtering in the next release. 

We still don't have any production units on v17 yet, I'm mainly concerned about the IPSec VPN stability issues reported, though I think for the sites that don't require VPN it would be stable enough at this point for us.  I am going to use MR 5 on our test box first before going into production.  I want to see the IPSec VPN's stability in our test environment before I would be comfortable upgrading.  Fortunately we don't use web or email filtering with the XG, which is where most of the non-VPN reported issues seem to be.

As mentioned above, everything works for my Apple and PC products with v17 MR5.  I do not have any special rules for Apple or other devices (other than a rule to block all outgoing connection attempts from my security cameras).  I do have Scan HTTP, Intrusion Prevention, Web Policy and a rule to block Google Analytics.

For reference, I've attached my general firewall rule for LAN to WAN (IPv4) traffic.

Hi,

under MR3 there was a problem using Application policy which is fixed for the PCs and the Macs once they have seen the wild internet but not behind the XG.

The logs don't help, failed or successful attempts show.

Ian

Interesting, that sounds like the issue I had with a fresh install of Bitdefender.  It could not connect to the Bitdefender server for the initial update.  Other machines with Bitdefender installed prior to XG 17 worked fine.  I managed to get the fresh install of Bitdefender to work by temporarily changing the firewall rule on XG from any-to-any, updating Bitdefender database, then reverting my firewall rule back.  The fresh install now works flawlessly.  Nothing was ever registered in the logs, but something was obviously being blocked.

Looks like it was only the Apple App store that failed to find an internet connection, the apps themselves all updated, strange.

I have connected my failing devices directly to the internet via the iphone hotspot and now all connect to the Apple App store without errors while using the XG.

Ian

rfcat_vk said:

directly to the internet via the iphone hotspot

I have also seen this - once its spoken with Apple its OK behind the XG

I never worked out what was causing it though

Hey rfcat_vk 

Do you currently have any iOS devices where this issue can still be replicated?

Regards,

FloSupport | Community Support Engineer

Hi Flo,

I don't, I have connected them all via the hotspot.

Ian

If any users on this thread have a similar initial communication issue, please PM me so that we can perform further troubleshooting.
Please ensure that the Apple Update web exception is enabled if you are utilizing web filtering, along with verifying that the correct firewall rule is matching to the traffic via performing a packet capture.

Thanks,

FloSupport | Community Support Engineer

Hi Flo,

these were my findings in MR3.

The *.apple.com and the web exception did not work I had to create my own exception list. When I added the *.apple.com to my exception list (fqdn group) the connections again failed.

Under MR5 the applications updated, but the apple store filed on update checking regardless of settings.

Ian

Hi Flo,

one of my mac books has suddenly stopped talking to the Apple store update, 'no internet'. The following thread might have similar issues with the XG.

Two MACs both connect quite happily to the update servers. For some unknown reason the IP address used by my MAC is not recognised as being an Apple server (on Amazon) and goes straight through to rule 0. I have restarted the MAC, changed the firewall rule, but nothing. 54.251.46.50

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/98789/lan--wan-problem---dst-port-443

Ian

Hi Flo,

one of my mac books has suddenly stopped talking to the Apple store update, 'no internet'. The following thread might have similar issues with the XG.

Two MACs both connect quite happily to the update servers. For some unknown reason the IP address used by my MAC is not recognised as being an Apple server (on Amazon) and goes straight through to rule 0. I have restarted the MAC, changed the firewall rule, but nothing. 54.251.46.50

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/98789/lan--wan-problem---dst-port-443

Ian

Hi Ian,

I will check my XG and Apple as soon I come back at home. What I have noticed is that hotmail emails are not working correctly. I use decrypt and scan since v16 and on hotmail, when you open an email, the link inside the email are not click-able and you cannot even copy text. Double clicliking the email (so the email opens in a new tab), all work as expected.

Of course, creating a firewall rule with no web filters works. Before MR5, I never had this issue.