This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple iCloud IMAP being called Torrent (due to MR1 or maybe pattern update)

A while after updating to 18.5.0 MR1 this morning, we noticed we're not getting incoming mail from Apple iCloud. I kept assuming it's an issue with TLS or something, but email worked on my iPhone when I turned off WiFi and went with cellular.

In the end it turns out that we were getting tons of Application Control rejects for "Torrent Clients P2P" (Message ID 17051, POLICY ID 7). I turned off App Control on the firewall rule that covers email and now it's working.

This may be an error with 18.5.0 MR1 or it might be due to a wonky pattern update. I didn't change anything.

This thread was automatically locked due to age.

Parents

0 emmosophos over 3 years ago

Hello Wayne,

Thank you for contacting the Sophos Community.

Would it be possible for you to share a screenshot of the Web Protection (Application Control) that shows the rejects?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Wayne Folta over 3 years ago in reply to emmosophos

To be clear, this is Application Filter listing from the Log Viewer, and I solved the issue by going to None in the firewall rule's Identify and control applications (App control) setting.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Wayne Folta

Hello Wayne,

Thank you for the follow-up.

We would need to have pcap capture of this traffic, you can follow this KB.

So you will need to ever to using App Control in the webfilter, and reproduce the issue, once we have the pcap then we can send to labs for them to analyze.

I see you have a case already open for this (04305280), you can upload the pcap there.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Wayne Folta over 3 years ago in reply to emmosophos

So turn the application filter back on and then capture packets? That won't result in the packets being rejected before I can capture them? Or does this work as long as I capture from the WAN port?
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Wayne Folta

Hello Wayne,

You can capture one while ON and one while App Control is OFF.

# tcpdump -ni any host x.x.x.x and host x.x.x.x -b -w /tmp/IMAP.pcap -s0

The x.x.x.x would be the IP of the computer doing the request and the Public IP of the Destination.

If you check the Live Log Viewer it would show there the Src IP and Dst IP.

Regards.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 emmosophos over 3 years ago in reply to Wayne Folta

Hello Wayne,

You can capture one while ON and one while App Control is OFF.

# tcpdump -ni any host x.x.x.x and host x.x.x.x -b -w /tmp/IMAP.pcap -s0

The x.x.x.x would be the IP of the computer doing the request and the Public IP of the Destination.

If you check the Live Log Viewer it would show there the Src IP and Dst IP.

Regards.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Wayne Folta over 3 years ago in reply to emmosophos

Have uploaded a working pcap. Peeked at it in Wireshark and there are a ton of retransmissions, which seems weird on Apple's part and which might make it look like a Torrent.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Wayne Folta

Hello Wayne,

Thank you for the update.

I have opened the ticket with Labs and submitted your pcap.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel