Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 8699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Apple TV+ Connection Issues

Casual_User

Ok, so I decided to give Apple TV+ a try.  I am aware of how finicky Apple products can be, but decided to give it a whirl anyway.  Perhaps I'm beating a dead horse on this.

The first issue was the XG blocking QUIC, once I allowed QUIC, streaming seemed to work fine.  Then things started going off the rails.  I now get intermittent issues where Apple Music and Apple TV+ cannot connect.  Apple TV+ provides the following message "Content Unavailable".  This occurs no matter if I use an iPad, iMac or Android box.

I use Android boxes with the Apple TV+ app installed.

Apple Music and Apple TV+ drop out every 15 or 20 minutes and they remain gone for several minutes before miraculously connecting.  During the Apple down time, the Apple TV+ connection tests pass connecting to the internet but fail with connection to Apple.  I can stream using Disney+ with full 4k HDR10 without a single hiccup at any time and no rule exemptions.  My Speedtest shows absolutely no issues with my fibre line.

I have tried a number of "troubleshooting" steps with disabling one thing or the other.  This became extremely time consuming since the XG takes a very long time to update a firewall rule.  To speed things up, I have created the following rule at the top of my rules list:

  • LAN to WAN
  • Allow any service
  • Allow any source
  • Allow any destination
  • Web Policy = "Allow All"
  • Malware scanning disabled
  • Use web proxy instead of DPI
  • App Control = "Allow All"
  • IPS = "None"

Believe it or not, with the above rule the Apple TV+ and Apple Music still refuse to connect.

At this stage I am at a complete loss as to how to troubleshoot this further.  I cannot see how the XG might be interfering with the connection.  

I should add that I am attempting to troubleshoot this from my iMac by testing the Apple TV+ app on it.

As I finish typing this post, Apple TV+ & Apple Music both came back online.



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    Hello Ian,

    Web -> General Settings -> Advanced Settings -> Scan Audio & Video is Unchecked

    The FW rule is at the top of all the rules.

    The devices trying to use Apple TV+ are using that rule for all the selected *.apple.com, *.iCloud.com and 17.x.x.x domains and IP addresses.

    Best regards.

  • 0 in reply to Casual_User

    Hi,

    one more test, change the services to any. Then check log viewer web report.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

    The same result.  Connection to Apple is lost after about 20 minutes.  Nothing unusual in the logs, no dropped FW packets and all SSL/TLS packets are “Do not decrypt”.  I’m not sure if there is an issue with the XG, Apple or something my ISP is doing.

    Thanks for your help.

  • 0 in reply to Casual_User

    Next, internert speed up and down,  cpu and memory load?

    Are you using wifi or hardware? I gave up using wifi the connections were not reliable.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Internet speed test shows 51Mbps down and 19Mbps up.

    XG CPU load = 27% (doesn't really change much)
    XG RAM used = 50%

    All my devices are connected via ethernet cable.  Only the iPhones and iPads are on WiFi.  WiFi speeds have proven too unpredictable to rely on for streaming although I have a friend who streams Netflix via WiFi here regularly without issue.

    I had connection issues with Apple TV 6+ years ago which could not be resolved by Apple.  They gave me a movie credit at that time that I still haven't been able to use.  I now have Disney+ and AmazonPrime that both work flawlessly.  So there is no real need for me to get Apple TV+ working.

  • 0

    Ok, I just noticed something strange in the FW logs.  Things are busy here and I've been a bit distracted.  

    For the newly created Apple Services rule, it shows that the packets were accepted by the rule, then handed to NAT rule 12 (default NAT).  The "In Interface" is listed as "Port 1" but there is no "Out Interface" listed.  All my other LAN to WAN FW rules list both Port 1 and Port 2 for in and out interfaces.

    Going through the logs, none of the TCP 443 traffic for the Apple Services FW rule is making it to Port 2.  Under the same rule, other ports such as UDP 123 and 5223 TCP are going from Port 1 to Port 2.  For some reason only the TCP 443 traffic is not making it to Port 2.

    NAT rule 12 is just the default rule which allows all the ports from the other rules through.

    What is causing this seemingly strange behaviour?  This would obviously cause connection issues.

    If I enable "Any" services for that rule, TCP 443 packets still do no make it to Port 2.  

    Are these packets actually not making It out, or am I misreading the logs?  I would seem that creating the custom rule for Apple Services has made things worse?

  • 0 in reply to Casual_User

    Hi,

    they are going out through the proxy.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    I have solved this issue.  It was not related to the XG, my computer or my ISP.  Oddly enough, it was Windows Update for a Windows 10 computer that I have which put me on the trail of the underlying issue.

    I use an iMac for my main computer.  I have a number of other devices including a Windows 11 machine and Windows 10.  I rarely use the Win10 computer as it is just a spare.  Recently I noticed that the Win10 machine could not connect to Windows Update while Win11 machine worked fine.  The Win10 machine had no issues with internet or network access.  The Windows troubleshooter on the Win10 machine indicated that it could not lookup an address in the format of xxx.catalog.xxx.microsoft.com.  While I could not lookup this address using nslookup other addresses resolved fine.  When I pointed nslookup directly to the outside DNS servers (forwarders) that I am using, it could resolve the address fine.  So that meant that there was an issue with my internal DNS server.  Clearing the DNS cache on my DNS server resolved the problem.  I am still trying to figure out the underlying issue.  I. don't understand why my DNS server couldn't resolve the address although it was using the same external reference DNS server that I used for the manual nslookup.  It is set to scavenge addresses after 7 days.  

    The obvious deduction was that if Windows update could not resolve some external IP addresses, then the same must be true for other domains including the ones needed for Apple TV+ to work.

    To summarize, the firewall rules etc posted here work with the requisite TLS/SSL exemptions.  I am using DPI instead of the proxy and things seem to work fine as long as you have the correct TLS/SSL exemptions.

    I wish Apple had a troubleshooter as it would have been much easier to resolve my issue if they did.  Thankfully, and strangely, the Microsoft troubleshooter for Windows 10 updates helped my solve my Apple TV+ connectivity issue on my iMac.

Unfiltered HTML