Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Ever since upgrading our iOS devices to v11 they "Cannot Connect to App Store" when the connection is through our UTM. We are not experiencing any issues connecting these devices to the App Store through other non-UTM Internet connections.
There are no blocked packets in the Firewall logs and no blocked connection attempts in the Web Protection logs.
The "Apple Update [Allows Apple Update without content scanning side effects.]" Web Protection exception is enabled.
I'm running UTM v9.415-1 (and not interested in upgrading to v9.5 so please don't suggest that as a fix unless this is a known issue with v9.4).
Adding iOS devices to the "Skip Transparent Mode Source" list resolves the issue but is obviously a less than desirable solution.
I can't be the only one experiencing this issue. Please help.
Cheers - Bob
In reply to BAlfson:
Are you suggesting that the following fix included in v9.506-2 will resolve my issue?
Fix [NUTM-8834]: [Web] iOS11 user agent string is not detected as iOS
I have the same problem ~ It still cannot be solved....
IPAD with IOS 11 cannot connect to Apple App Store, or cannot download any apps or update.
Sometimes, It can be solved by connecting the IPAD to a mobile tethering once, and back to company AP. However, it is only solved in limited and short time.
It seems that is a certificate problem in IOS11 with Sophos UTM.
we are using Sophos SG310 (Firmware version: 9.506-2)
In reply to Cato Kwok:
Please share the solution with us after you work with Sophos Support.
This issue persists but it appears that only wi-fi only iPads are affected and not iPhones? Can anyone confirm that their wi-fi only iPad cannot connect to the app store but that any cellular capable iOS device can connect to the app store - even when using the same wi-fi network as the iPads that cannot connect?
In reply to busthead:
while not currently a UTM user but an XG user, I have the same issue. MACs and iPads fail, but iphones connect, strange? The work around was to connect the MACs and iPad via a hotspot initiate the APPLE store connection and then put the devices back on to the LAN works fine but.... For some unknown reason mine broke a couple of days ago and all my rules failed to allow connection which had worked in the past.
So, working with Sophos Community Support Team I tried some different firewall rules this morning. In the end the one that worked was allow MAC devices by IP address and any as the service and destination. After all the devices have accessed the Apple store I disabled that rule and the MACs and iPad can now access the Apple store without error.
I suspect the issue is caused by a tcp rst error I see in the logs, but can't reproduce the failure to do additional testing.
I hope the above provides some help.
Late thought:- this is probably an XG only issue, but I did find at one stage that the *.apple.com did not work, almost as if there is addresses missing or apple has a non apple address in use?
In reply to rfcat_vk:
Ian, my theory is that you can ignore blocked RST packets unless there's a problem. I think that your distance from the Apple Store causes the connection tracker to terminate a connection too soon for the communication to continue. I'm not a TCP/IP guru, so I don't know which ip_conntrack_tcp_timeout needs to be increased. running Wireshark on a packet capture would probably give us the answer. The options are:
"ip_conntrack_tcp_timeout_close" => 10,"ip_conntrack_tcp_timeout_close_wait" => 60,"ip_conntrack_tcp_timeout_established" => 86400,"ip_conntrack_tcp_timeout_fin_wait" => 120,"ip_conntrack_tcp_timeout_last_ack" => 30,"ip_conntrack_tcp_timeout_max_retrans" => 300,"ip_conntrack_tcp_timeout_syn_recv" => 60,"ip_conntrack_tcp_timeout_syn_sent" => 120
thank yo u for your thoughts. I have passed a link to this thread to the Sophos Community Support Team to read and see if that is an answer.
Please note: my experience has been that the suggested work arounds only remediate the issue until either the Apple device OS or Sophos UTM OS is updated, which causes the issue to return.
I had a lot of issues with this until the latest release of IOS for ipad and high sierra for mac books. It was working fine after the updates until I broke my XG configuration the other day.
I can confirm, I have the VERY same issue. iPhones can connect to the Apple App Store (most of the time), but iPad's can not!What I can say is: Switching off Intrusion Prevention allows the iPads to connect. I was unable to find either what exactly is being blocked nor which hosts/networks to define to create exceptions for the iOS devices. Does anyone have the app-store domains? My workaround to update all the apps is a pain, I temporarily log in to another access point which is DMZ, outside the UTM Firewall --> works. I then log out of that AP again, back into my network. I have given up finding the issue since I ran out of ideas months ago after spending several evenings without success. So please, any hints?! :)
In reply to Andreas Brand:
I will try again, must have pressed a wrong button because the post just vanished.
The fail message indicates that the Mac cannot connect to App store error 1201 or similar which is sort like a DNS issue, unresolved maybe, something blocking it. I do also note that there a tcp rst messages in the logviewer about the same time. I have increased the timeout to 80,000 but does not seem to have had any affect.
About two days ago my Mac books and the ipad failed to connect to the App store again. I suspect that was an update to the various patterns and some-ones comment about disabling the IPS could be the clue because all of a sudden I have a series of blocked reports in the IPS which doesn't normally happen.
All Macs could reconnect after each one was restarted, I have tried this before without success, the ipad didn't. I have a rule which I enable and disable when the Macs fail to connect, it does have IPS and the Mac's IP addresses. At this stage the ipad was not part of this rule.
The results might seem a bit confusing and inconclusive, they are.
These observations are on an XG, but the issue appears to be very similar.
Updated iOS on both of our iPads today. Once again, cannot connect to the App Store.
Has anyone been able to grab a log entry for the failed connection from their Sophos gateway?
one of the guys on the XG forum who is having the same issue added *.apple.com.au in his exceptions and my case and apple devices started talking again, he has many.
Adding the following URL to the Antivirus / Sandstorm / Extension blocking / URL Filter exception list did not resolve the issue for me.