Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 15133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tivo will not update

RobertBurri

I've read through everything I can find on how to get a Tivo to connect to the update service, but cannot figure this out.

I've followed what I have read, and so far nothing has worked.  

As of now, I have the following setup, and it will not connect...I keep getting the same TCP port error messages.

In Firewall Rules:

Source: Internal (Network) [have also tried the static IP of the tivo, a tivo network definition, etc.]

Services: All Tivo TCP ports: 37,7288,7287,8080,8081,5005, 5223, 8000, 8080:8089 & UDP: 37, 123

Destination: Internet IPv4 [have also tried with just the tivo servers identified on the tivo site in a network group]

I also have the tivo urls I have seen in my Firewall log skipped in Web Protection for all filters (status, service, & singlemind.tivo.com)

I tried following some of the older posts on how to enable, it, but that seemed like an older version of UTM, and I couldn't follow how to setup the NAT section.  But I tried using a TIVO service group, Tivo network, etc., but couldn't make it work.

I don't have any issues browsing the web with either a wired or wireless connection.  The Tivo is wireless to my Asus router, which is now in AP mode.  So it has an IP direct from the UTM, in the main Internal network.  It is static, with a Static Mapping.

Any assistance is greatly appreciated.  Getting tired of switching out my old router to get updates...

Thx



This thread was automatically locked due to age.
  • 0

    Hi Robert,

    What mode is Web Protection configured on? Did you try configuring an exception for TIVO URLs.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    It is Transparent Mode.

    HTTPS URL filtering only

    Base Policy

    I do have every filter skipped for the status, service, and singlemind.tivo.com URLs. And I just edited them to model all the default filters, ie., ^https?://service.tivo.com

  • 0 in reply to RobertBurri

    Made a few changes, and it still will not connect.

    1. My Firewall rule now has every Tivo port that is either on their site or in the Tivo self check allowed. It is still Internal Network -> Internet IPv4...I am logging traffic, and I see it passing apparently OK [green highlights]. But I still get a failure on the Tivo.

    2. I enabled ICMP through the gateway as I saw a couple block entries after a Tivo connection test failed.

    3. I removed the filter to the specific tivo address as I stated above, and now have allowed the domain tivo.com (and any subdomains) in the default content filter action. Web Filter Profiles/Filter Actions..........
    Subnote on Web Protection: I found if I change to Standard Mode, or disable Web Protection entirely, I can no longer browse the Internet. Not sure if that is the expected result, but seemed odd to me.

    On one hand, this really does illustrate how much more locked down the Sophos UTM is then your standard router...Good!...but on the other, this seems like such a simple task that is overly complex.  I've tried firewall rules that explicitly allow every port Tivo says is required open to both the Tivo IP, and now to every host Internally, and it still doesn't work.  

    Please advise...my wife is getting upset at all the time I'm spending on this...

    Thanks,

  • 0 in reply to RobertBurri

    Hi Robert,

    Take SSH to UTM and capture http.log. Note down the URLs associated with Tivo. Add this URLs in the transparent host destination skip list (Web protection > Filtering Options > Misc > Transparent skip destination). Also, add the IP address assigned to Tivo device in the source skip list.

    Go to the bottom of the Misc page and disable "Pharming".

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I did all that except checking the http.log, don't have time to SSH and check the log, but will do that tonight.

    I added a Tivo host group that has all the IPs identified on the Tivo site into the destination hosts and the Tivo IP to the source hosts to the Transparent Mode Skiplist, and disabled pharming.....still would not connect.

    Will check the log tonight.  Work calls...

    Any other options on this?

    Thanks for your assistance.

  • 0 in reply to RobertBurri

    Solution found finally!

    On the suggestion of a firewall guy at work (thx Gus if you read this!), I added the following NAT Masquerade rule: 

    TivoNetwork (just the Tivo IP) --> WAN

    And it connected and has now downloaded all updates...took quite awhile!

    I will proceed with rolling back all the things I tried, clean it all up a little, tighten the security on it, and post the final solution for anyone else who runs into this in the future.

    [:D]

  • 0 in reply to RobertBurri

    Amazing!! enjoy the shows :)

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    My final settings:

    Firewall Rule (Network Protection / Firewall)
    Source: Tivo IP
    Service: TivoServices group that included all the services listed in my first post, these are every port from the troubleshooting page and what my Tivo says is required
    Destination: Tivo Group that includes all IPs listed on the Tivo troubleshooting page

    NAT Rule (Network Protection / NAT / Masquerading)
    Network:     TivoNetwork (just the Tivo IP)
    Interface: WAN

    Web Filter (Web Protection / Filter Profiles / Filter Actions)
    Default content filter action / Websites / Allowed Sites: tivo.com domain (include subdomains)

    Trusted Site (Web Protection / Filtering Options / Websites)
    tivo.com domain / include subdomains / Do not override / Reputation: Trusted

    I have a feeling removing the last two (Web Filter and Trusted Site) would still work, but they seem logical to me, and perhaps make any communication with tivo.com a little more responsive...so I am leaving them.

    Hopefully this helps others...in the end it wasn't a lot, but just took awhile to figure it all out.

  • 0 in reply to RobertBurri

    RobertBurri said:

    Firewall Rule (Network Protection / Firewall)

    Source: Tivo IP
    Service: TivoServices group that included all the services listed in my first post, these are every port from the troubleshooting page and what my Tivo says is required
    Destination: Tivo Group that includes all IPs listed on the Tivo troubleshooting page

    Running UTM v9.5. 

    What option is the Tivo Group?  Is it a collection of Ranges?  Then a Network Group or Ranges?

     

    Thanks,

Unfiltered HTML