Apple App Store Connection Errors

Ian can you dump such a connection attempt by your broken Apple device in a tcpdump and open it in wireshark?

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

This should help.

I would like to see, what is going on from XG perspective. 

Hi Toni,

I don't have any failed connection attempts that I can find. The iPad just did not connect to the App store. I have taken out of my LAN because I needed an APP for my new headphones/hearing aids to set them up.

As a result the APPs down load and connect. I can search for historical connections and see what I can capture.

Ian

Any Update on this issue?

Still an issue with SFOS 17.5.6 MR-6 and AP firmware 11.0.008 (the latter applied today)

It appears that if a client connects from an outside network, something is set for a period of time, because the connection continues to function on back on the Sophos network for a while.

After some time it will stop working. This sounds like a trusted certificate check / re-check interval or something like that.

I'm not sure this helps, but it is a little more information to help Sophos figure this out. 

Scott K.

After turning off Web Caching, the end result is still no ability to download updates, but the App Store can now at least populate with available updates... just fails with "Could not connect to the server" when clicking Update.

Hi Scott,

I think I have found the possible cause while looking for something else in log viewer. I see a lot of block unknown https protocols going to some Apple sites and some AWS sites. As an experiment, try unticking block unknown https protocols in web -> general settings and see if you can connect. At the moment I don't have any blocked applications to try this on.

Ian

Thanks for the suggestion Ian. Unfortunately, this was already unticked.

I did untick the block invalid certificates for a time to test, with no luck.

Scott.

The following worked for me.

Create a new User/Network rule at the top:

Rule Name Apple Services

Source Zone: LAN

Source Networks and Devices (either add selected devices or choose any)

Destination zones: WAN

Destination Networks

Choose Apple Services (should be inbuilt)

Create Apple .aaplimg Services as FQDN host: *.aaplimg.com

You may need to create another FQDN Host for Akamai: *.akamaitechnologies.com

Don't check any web malware and content scanning

Don't turn on any advanced settings leave them all as None (IPS, Web, App)

This resolved my problem... UP UNTIL SFVH (SFOS 17.5.7 MR-7)  - Will be rolling back to MR-6 later.

Adding akamaitechnologies.com to bypass IPS, Web filtering and App is dangerous, given that they are a CDN and not just apple...

I still don't understand why the OP is having issues, we have several Apple devices (Apple TV's, iPhones, iPads, MacBook's) and they all work well with the AppleStore, and go through a HTTP and HTTPS rule (I have them both separated), and I have no connectivity issues to the Apple Store.

IPS on both rules is enabled, as is pharming protection...although for the HTTPS rule, I don't have scan HTTPS traffic enabled.

HTTP rule...

HTTPS rule...