Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 44 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 21837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple App Store Connection Errors

Jonnie

Hi There,

I have some weird problems with the Apple App Store on our Macbooks. Some colleagues can use the store without any problems, others can not open it at all.
There are they same firewall rules that apply to all users, regardless of whether they are WiFi or LAN.
I have already set exceptions in the web policy, and put all the URLs from the Apple article into a firewall rule where the IPS is disabled.https://support.apple.com/de-de/HT201999

Please have a look at my screenshots. The Problem is also, that I can't see any errors at the log viewer or with paket capture whan a colleague try's to download something at the store.

Any ideas?

 

WiFi Clients are in the same zone like LAN.



This thread was automatically locked due to age.
Parents
  • 0

    Same issues,  and more related to Apple App Store, iTines and Apple TV app connectivity.

    I’m running 17.5.5 MR5, but this has been an issue for a while on previous versions.

    I have multiple devices that work consistently connecting to Apple App Store,  and several that consistently have issues.

    One potential piece of the puzzle is that the devices that work consistently connect to networks at other locations regularly, while those that do not work are more likely only on the XG network.

  • 0 in reply to Scott Klauminzer

    Scott Klauminzer said:

     I have multiple devices that work consistently connecting to Apple App Store,  and several that consistently have issues.

    One potential piece of the puzzle is that the devices that work consistently connect to networks at other locations regularly, while those that do not work are more likely only on the XG network.

     

     
    THIS!
    Absolutely same behaviour at my site. 
     
    @ some ideas? 
  • 0 in reply to LuCar Toni

    Hey, me again. 

    After the update to 17.5 MR5 the issues come back. 

    I can confirm:

    • that the problem occurs with wifi and ethernet connection, same rule and zone settings
    • some colleagues can open the store without any problems, but the majority get an error
    • that the IPad Appstore is also blocked, even in our wifi guest network where are no webfilter or ips rules have been activated. only AV, but already tested it without scanning.
    • After I switched the Ipad to a private hotspot, the app store works immediately. 

    But if I switch back to our guest wifi, the app store works again without any problem or error?

    I can't reproduce the problem after one successfull connection to the app store. 

     

    Any Ideas?

  • 0 in reply to Jonnie

    As far as i know, there were couple of issue in the past with the MTU Size and Apple services. 

    UTM9.3 (or 9.2) had a bug fix with MTU Size change to 1450 in wireless (separate zone).

    This caused all apple services were not able to connect anymore. 

    But it seems to be kinda odd, that you only observe this with certain clients and you cannot reproduce this issue. 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    But it seems to be kinda odd, that you only observe this with certain clients and you cannot reproduce this issue. 

     

     
    I will do some more testing at thursday and give you a feedback. But yes it's a really strange behaviour. 
    We also use the Sophos Endpoint Security at our Mac's, but there is no security client at our IPad with the described error from yesterday. 
     
    Maybe do you have an idea which Log from the XG could be helpful, to delimit the problem? Or should I open a ticket with the support?
  • 0 in reply to Jonnie

    The point is, it is hard to find the causing module in XG, if we do not know, what is going on and when.

    So we can not simply put everything in Debug and "wait". 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    So we can not simply put everything in Debug and "wait". 

     

     
    Yes of course, thats not a meaningful idea. :) Because you talked about the bug at the UTM and the MTU Size. Is there maybe a log for this kind of errors? 
  • 0 in reply to Jonnie

    I had a similar problem with updates - works fine since I've turned off Web Cache.

  • 0 in reply to BLS

    Also seeing this issue on iPhone's on a guest wireless network. 3rd party wireless hardware but DHCP and VLAN's handled by the XG. (XG310 running 17.5.5 MR5)

     

    Some have no issue connecting to the app store, others cannot connect initially but may start working later in the day. 

     

    Web Cache is switched off

  • 0 in reply to Greenie

    In that case, I wonder if this is the DHCP issue??

     

    When devices cannot connect to the AppStore, can they open a web-page?

     

    And is this switched on in Web-Exceptions?

     

  • 0 in reply to BLS

    Personally, as the app store is currently working, it's difficult to say if it can open a web page when not working.

    There is no HTTP or HTTPS scanning on the guest network, so I don't believe those exceptions should come into play but it is turned on. The only web policies being applied are the default work place policy and restricting social media to only being accessed during non working hours, an application policy blocking WhatsApp during work hours and a QOS policy

  • 0 in reply to Greenie

    The issue has nothing to do with DHCP, the devices can surf the web, look at this forum, check email, just not update from the APP store.

    My iPad cannot update 'find friends' but will update its home weather station monitoring application.

    Ian

Reply
  • 0 in reply to Greenie

    The issue has nothing to do with DHCP, the devices can surf the web, look at this forum, check email, just not update from the APP store.

    My iPad cannot update 'find friends' but will update its home weather station monitoring application.

    Ian

Children
  • 0 in reply to rfcat_vk

    rfcat_vk said:

    The issue has nothing to do with DHCP, the devices can surf the web, look at this forum, check email, just not update from the APP store.

    My iPad cannot update 'find friends' but will update its home weather station monitoring application.

    Ian

     

     

    I didn't think that would be the case, but worth checking as was thinking that the devices may not have got the gateway address, and therefore wouldn't have been able to get out...sometimes worth checking against known issues before looking further....

    This sounds similar to issues I had, but opening up :- 

     

    3478–3497 UDP nat-stun-port - ipether232port

    FaceTime, Game Center

     

    5223 TCP Apple Push Notification Service (APNS) iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream, Back to My Mac

     

    16384–16387 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) connected, — FaceTime, Game Center
    16393–16402 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) FaceTime, Game Center
    16403–16472 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) Game Center

     

    Seemed to resolve all issues I had..

     

  • 0 in reply to BLS

    Sorry, but  can surf the whole internet or get his emails without any problem, except a connection to the apple app store. 

    He MUST have a gateway address? Sorry, can't follow your arguments?

     

    Also, the Ports that you' ve posted, has nothing to do with the apple app store. 

    On my site, I open all ports with the destination of any apple URL, which are posted here: https://support.apple.com/de-de/HT201999

    So it can't be a problem with a closed port. There are also no events in the log, when I try to access to app store. 

  • 0 in reply to Jonnie

    Jonny Klaas said:

    Sorry, but  can surf the whole internet or get his emails without any problem, except a connection to the apple app store. 

    He MUST have a gateway address? Sorry, can't follow your arguments?

     

    Also, the Ports that you' ve posted, has nothing to do with the apple app store. 

    On my site, I open all ports with the destination of any apple URL, which are posted here: https://support.apple.com/de-de/HT201999

    So it can't be a problem with a closed port. There are also no events in the log, when I try to access to app store. 

     

     

    Not necessarily - proxy settings - pac file - don't need a gateway address if the proxy IP or pac URL is on the same subnet, and would still be able to browse without a gateway address.\

    I've also seen a lot of unexplained traffic on several of those ports, namely 5223 (XMPP over SSL) - and these are from machines that don't use FaceTime or iMessage...

     

    Clutching at straws maybe, or maybe apple have changed things with the latest OS and not updated the firewall ports - don't forget too that the AppStore uses iCloud for authentication - oh and look

     

    5223 TCP Apple Push Notification Service (APNS)

    iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream, Back to My Mac

     

    The AppStore (from what I cal tell) relies on 5223 to send out notifications of updates to applications - potential this could be the issue - worth a test...if it does problem solved, if it doesn't; back to the drawing board.

  • 0 in reply to BLS

    Hi,

    thank you for the detailed response, but you have missed the original point, that the devices used to connect without these exceptions.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    App store access totally broken on my iPad and MBP as of yesterday (my time). My iPhone which has been out of the home a number of times over the last couple of days works fine.

    Nothing in the logs showing failed connections (firewall, IPS, WEB, Application).

    Ian

  • 0 in reply to rfcat_vk

    Just took my MBP outside the LAN network and back inside and the APP store works again. What gives?

    Ian

     

    But software updates do not work.

  • 0 in reply to rfcat_vk

    When you cannot connect, what happens when you turn WiFi off and back on again on the device failing to connect?

  • 0 in reply to BLS

    Hi,

    I have restarted the iPad, renewed the IP lease. The issue only affects APP store not data into the apps, web surfing.or mail.

    The XG logs do not show any failed connections.

    Ian

  • 0 in reply to rfcat_vk

    Ian can you dump such a connection attempt by your broken Apple device in a tcpdump and open it in wireshark?

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    This should help.

    I would like to see, what is going on from XG perspective. 

  • 0 in reply to LuCar Toni

    Hi Toni,

    I don't have any failed connection attempts that I can find. The iPad just did not connect to the App store. I have taken out of my LAN because I needed an APP for my new headphones/hearing aids to set them up.

    As a result the APPs down load and connect. I can search for historical connections and see what I can capture.

    Ian