Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Apple TV+ Connection Issues

Ok, so I decided to give Apple TV+ a try.  I am aware of how finicky Apple products can be, but decided to give it a whirl anyway.  Perhaps I'm beating a dead horse on this.

The first issue was the XG blocking QUIC, once I allowed QUIC, streaming seemed to work fine.  Then things started going off the rails.  I now get intermittent issues where Apple Music and Apple TV+ cannot connect.  Apple TV+ provides the following message "Content Unavailable".  This occurs no matter if I use an iPad, iMac or Android box.

I use Android boxes with the Apple TV+ app installed.

Apple Music and Apple TV+ drop out every 15 or 20 minutes and they remain gone for several minutes before miraculously connecting.  During the Apple down time, the Apple TV+ connection tests pass connecting to the internet but fail with connection to Apple.  I can stream using Disney+ with full 4k HDR10 without a single hiccup at any time and no rule exemptions.  My Speedtest shows absolutely no issues with my fibre line.

I have tried a number of "troubleshooting" steps with disabling one thing or the other.  This became extremely time consuming since the XG takes a very long time to update a firewall rule.  To speed things up, I have created the following rule at the top of my rules list:

  • LAN to WAN
  • Allow any service
  • Allow any source
  • Allow any destination
  • Web Policy = "Allow All"
  • Malware scanning disabled
  • Use web proxy instead of DPI
  • App Control = "Allow All"
  • IPS = "None"

Believe it or not, with the above rule the Apple TV+ and Apple Music still refuse to connect.

At this stage I am at a complete loss as to how to troubleshoot this further.  I cannot see how the XG might be interfering with the connection.  

I should add that I am attempting to troubleshoot this from my iMac by testing the Apple TV+ app on it.

As I finish typing this post, Apple TV+ & Apple Music both came back online.



This thread was automatically locked due to age.
  • When you have a problem, the first thing you want to do is go to the SSL/TLS logs and look for hosts/domains that might be related to your problem and that are being decrypted. Add them to an exception. Works fairly quickly and every time. It's the FIRST thing I look at since it causes mysterious problems -- the XG doesn't have an issue, the software/server have an issue -- so you won't really see an error.

    You'll get this working and a month from now, it'll stop working and you'll see that AppleTv added a new domain that's involved with its streaming. Add it to the list. In my case, I eventually tired of this and exempted our physical AppleTV (our streaming device of choice). And also did some traffic shaping to prioritize the stream as well.

  • Do not use SSL/TLS scanning on Apple sites, it does not work as well, it does not recognise UDP traffic.

     I gave up and use the Proxy. Apple sites do not like decrypt and scan or even ignore. Just use the plain proxy, it works reliably.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Even with SSL/TLS disabled Apple TV+ dies after 13 minutes.  The regularity is perplexing but it is getting to the point that I might as well just cancel Apple TV+.  No other streaming service requires this level of troubleshooting.

    Anyway, time to watch Disney+

  • Thanks again Ian,

    Of course I had to give this a try tonight.  There is good news and bad news.  The bad news is that Apple TV+ streamed for about 14 minutes before it died as it did before with the rule I had.  The only good news is that this means that the rule I had before wasn’t off base.

    I got Apple TV+ streaming again by turning off SSL/TLS scanning.

  • I forgot to add the FQDN configuration.

    I have a FQDN group which comprised of two wildcard FQDNs.

    As best as I can determine these cover all Apple sites (today).

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for sharing Ian,

    This is both interesting and confusing since your rule appears identical to mine.  I will take a detailed look at this tomorrow.

  • Hi,

    here is my Apple access firewall rule.

    The above rules seem to work for most sites the AppleTV, I haven't tried them all. The rule sits above the general access to the internet rule.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ok, to summarize:

    I created a firewall rule for all traffic to the Apple IP address range since every device in the house can access Apple TV+.  In that rule I set "Web Filtering" to "None", "App Control" to "None" and "IPS" to "None".  This should mean that none of those security options are deployed (therefore no SSL/TLS) on the Apple IP address range.

    The logs seem to show that while a number of connections are made to the Apple IP address range, those addresses are not used for streaming.  It appears that Apple uses Akamai, AWS and a variety of other services for streaming.  Those servers are then caught by my standard LAN to WAN firewall rule which employs web filtering and will involve SSL/TLS scanning.  If those servers don't like their packets scanned, that would lead to issues.

    I don't know how to capture all the possible servers Apple might be using for streaming in order to put them into my Apple Service firewall rule.  Instead, it is likely best to just disable SSL/TLS inspection.  Or am I missing something?

  • Hi,

    what you are experiencing is the applications do not like the packets being decrypted, there is no packet drop.

    For my Apple rules I use the web proxy, I tried using SSL/TLS and had too many failures. Also I do limit the number of ports that can be accessed and modify the list when a failure occurs. 

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Well, it seems that Apple is determined to prevent me from accessing any paid content.

    Last night, the movie Finch intermittently started and stopped every 10 minutes so I stopped watching it.  Today things seemed to work fine as I managed to finish watching Finch but then it and Apple Music/iTunes became unavailable and remain so.

    Going through the logs there isn't a single blocked packet anywhere from any device.

    I the only thing that I can think of is I am missing something in my TLS exclusion list.  I cannot see what I could be missing.  Here is my list:

    I likely have too many domains listed, but I have no way of knowing which ones are critical for streaming.