Cannot Connect to App Store Since Upgrading to iOS v11

Ever since upgrading our iOS devices to v11 they "Cannot Connect to App Store" when the connection is through our UTM. We are not experiencing any issues connecting these devices to the App Store through other non-UTM Internet connections.

There are no blocked packets in the Firewall logs and no blocked connection attempts in the Web Protection logs.

The "Apple Update [Allows Apple Update without content scanning side effects.]" Web Protection exception is enabled.

I'm running UTM v9.415-1 (and not interested in upgrading to v9.5 so please don't suggest that as a fix unless this is a known issue with v9.4).

Adding iOS devices to the "Skip Transparent Mode Source" list resolves the issue but is obviously a less than desirable solution.

I can't be the only one experiencing this issue. Please help.

  • In reply to BAlfson:

    Are you suggesting that the following fix included in v9.506-2 will resolve my issue?

    Fix [NUTM-8834]: [Web] iOS11 user agent string is not detected as iOS

    Thx

  • I have the same problem ~ It still cannot be solved.... 

    IPAD with IOS 11 cannot connect to Apple App Store, or cannot download any apps or update.

    Sometimes, It can be solved by connecting the IPAD to a mobile tethering once, and back to company AP. However, it is only solved in limited and short time.

    It seems that is a certificate problem in IOS11 with Sophos UTM. 

     

    we are using Sophos SG310 (Firmware version: 9.506-2)

     

    Cato

  • In reply to Cato Kwok:

    Please share the solution with us after you work with Sophos Support.

    Cheers - Bob

  • In reply to BAlfson:

    This issue persists but it appears that only wi-fi only iPads are affected and not iPhones? Can anyone confirm that their wi-fi only iPad cannot connect to the app store but that any cellular capable iOS device can connect to the app store - even when using the same wi-fi network as the iPads that cannot connect?

    Thx

  • In reply to busthead:

    Hi folks,

    while not currently a UTM user but an XG user, I have the same issue. MACs and iPads fail, but iphones connect, strange? The work around was to connect the MACs and iPad via a hotspot initiate the APPLE store connection and then put the devices back on to the LAN works fine but.... For some unknown reason mine broke a couple of days ago and all my rules failed to allow connection which had worked in the past.

    So, working with Sophos Community Support Team I tried some different firewall rules this morning. In the end the one that worked was allow MAC devices by IP address and any as the service and destination. After all the devices have accessed the Apple store I disabled that rule and the MACs and iPad can now access the Apple store without error.

    I suspect the issue is caused by a tcp rst error I see in the logs, but can't reproduce the failure to do additional testing.

    I hope the above provides some help.

    Ian

    Late thought:- this is probably an XG only issue, but I did find at one stage that the *.apple.com did not work, almost as if there is addresses missing or apple has a non apple address in use?

  • In reply to rfcat_vk:

    Ian, my theory is that you can ignore blocked RST packets unless there's a problem.  I think that your distance from the Apple Store causes the connection tracker to terminate a connection too soon for the communication to continue.  I'm not a TCP/IP guru, so I don't know which ip_conntrack_tcp_timeout needs to be increased.  running Wireshark on a packet capture would probably give us the answer.  The options are:

    "ip_conntrack_tcp_timeout_close" => 10,
    "ip_conntrack_tcp_timeout_close_wait" => 60,
    "ip_conntrack_tcp_timeout_established" => 86400,
    "ip_conntrack_tcp_timeout_fin_wait" => 120,
    "ip_conntrack_tcp_timeout_last_ack" => 30,
    "ip_conntrack_tcp_timeout_max_retrans" => 300,
    "ip_conntrack_tcp_timeout_syn_recv" => 60,
    "ip_conntrack_tcp_timeout_syn_sent" => 120

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    thank yo u for your thoughts. I have passed a link to this thread to the Sophos Community Support Team to read and see if that is an answer.

    Ian

  • In reply to rfcat_vk:

    Please note: my experience has been that the suggested work arounds only remediate the issue until either the Apple device OS or Sophos UTM OS is updated, which causes the issue to return.

  • In reply to busthead:

    Hi,

    I had a lot of issues with this until the latest release of IOS for ipad and high sierra for mac books. It was working fine after the updates until I broke my XG configuration the other day.

    Ian

  • In reply to busthead:

    Hi guys!

    I can confirm, I have the VERY same issue. iPhones can connect to the Apple App Store (most of the time), but iPad's can not!
    What I can say is: Switching off Intrusion Prevention allows the iPads to connect. I was unable to find either what exactly is being blocked nor which hosts/networks to define to create exceptions for the iOS devices. Does anyone have the app-store domains? 
    My workaround to update all the apps is a pain, I temporarily log in to another access point which is DMZ, outside the UTM Firewall --> works. I then log out of that AP again, back into my network. I have given up finding the issue since I ran out of ideas months ago after spending several evenings without success. So please, any hints?! :)

     

    regards
    Andreas

  • In reply to Andreas Brand:

    Hi folks,

    I will try again, must have pressed a wrong button because the post just vanished.

    The fail message indicates that the Mac cannot connect to App store error 1201 or similar which is sort like a DNS issue, unresolved maybe, something blocking it. I do also note that there a tcp rst messages in the logviewer about the same time.  I have increased the timeout to 80,000 but does not seem to have had any affect.

    About two days ago my Mac books and the ipad failed to connect to the App store again. I suspect that was an update to the various patterns and some-ones comment about disabling the IPS could be the clue because all of a sudden I have a series of blocked reports in the IPS which doesn't normally happen.

    All Macs could reconnect after each one was restarted, I have tried this before without success, the ipad didn't. I have a rule which I enable and disable when the Macs fail to connect, it does have IPS and the Mac's IP addresses. At this stage the ipad was not part of this rule.

    The results might seem a bit confusing and inconclusive, they are.

    Ian

     

    These observations are on an XG, but the issue appears to be very similar.

  • In reply to rfcat_vk:

    Updated iOS on both of our iPads today. Once again, cannot connect to the App Store. 

    Has anyone been able to grab a log entry for the failed connection from their Sophos gateway?

  • In reply to busthead:

    Hi,

    one of the guys on the XG forum who is having the same issue added *.apple.com.au in his exceptions and my case and apple devices started talking again, he has many.

    Ian

  • In reply to rfcat_vk:

    Adding the following URL to the Antivirus / Sandstorm / Extension blocking / URL Filter exception list did not resolve the issue for me.

    ^https?://([A-Za-z0-9.-]*\.)?apple\.com\.au/