Can't access Apple's iCloud/iTunes, etc

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't access Apple's iCloud/iTunes, etc

James Brown
Anyone else having problems logging into Apple services? Eg iCloud, iBooks Store, iTunes, etc.

At the Sign In dialog box, I enter my Apple ID and Password, and click Sign In. It comes back with "There was an error connecting to the Apple ID server" in red.

I've turned off IPS and Web Filter to no avail.

I've put iCloud.com and apple.com in the Web Filter Whitelist anyway, but it makes no difference.

Any suggestions?

(on 1.5SP1)

Thanks,

James.
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Me_3594
James Brown wrote
Anyone else having problems logging into Apple services? Eg iCloud, iBooks Store, iTunes, etc.

At the Sign In dialog box, I enter my Apple ID and Password, and click Sign In. It comes back with "There was an error connecting to the Apple ID server" in red.

I've turned off IPS and Web Filter to no avail.

I've put iCloud.com and apple.com in the Web Filter Whitelist anyway, but it makes no difference.
is the SSL browser indicator for https://www.icloud.com green or red? There have been MITM issues with SSL decryption by Shield that could cause this problem.
do you have any log items in the kernel log / system log / Snort log that matches these events?
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
It's green. I can access iCloud through the web no problems. It's applications like iBooks, iTunes, Photos, etc that say they can't access the Apple servers. I've turned off IPS, but still nothing. Do I have to press 'Save & Apply' after doing this? If I do it seems to turn it back on.

All I can see in the IPS logs are:

02/26-00:02:18.477198  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:62691 -> 17.140.27.6:443

Do I just put 116:58:1 in the Exclude Rules tab and press Save & Apply?

I seem to remember this happening and posting solution on the old Itus forums. Are they searchable somewhere?

Thanks,

James.
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Hans
Administrator
There was a thread called "Intrusion Prevention Rule 2017005 Blocking downloads": index-129.htm

Breda made a copy of the packetinspector forum: dropbox
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
Thanks Hans.

Looks like that thread refers to Suricata, and Shield is using Snort now.

Thanks for the link to the Breda copy - I'll see if I can find anything there.

James.
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
In reply to this post by Hans
From my email notifications from the old Itus forums I found that the title of the thread was, "Apple's App Store - can't download." but searching in Breda's copy doesn't find it.

Can anyone find that? Here's an excerpt from the email notification:
****
SilentWolf Wrote: (09-13-2015, 10:55 PM)
--

jlbrown Wrote: (09-13-2015, 06:51 AM)
--
Well, I'm emb... (visit the thread to read more..)
------------------------------------------

To view the thread, you can go to the following URL:
https://packetinspector.org/showthread.php?tid=301&action=newpost
***

Thanks,

James.

Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Me_3594
Is this it?

printthread-115.htm
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Gnomad
In reply to this post by James Brown
SSL indicator for https://www.icloud.com is green for me too, and I'm having similar issues in that iTunes for Windows 10 can't access the iTunes Store or program updates.  But the store is accessible from iOS devices and app updates seem to run okay.
James Brown wrote
Do I just put 116:58:1 in the Exclude Rules tab and press Save & Apply?
From other replies here, I think 2017005 is the number to try within the Exclude Rules tab, assuming Suricata rule IDs match Snort rule IDs..
Can anyone confirm?
Router 1.51 SP1, fw_upgrade v8.3.3
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

user8446
Administrator
Yes, the SID #'s are the same.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
Thanks, put 2017005 in the Exclude Rules section. Save & Apply.

No change. :-(

iBooks still says, "There was an error connecting to the Apple ID server."
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
In reply to this post by Gnomad
The IPS logs say:

3/09-23:06:50.861600  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:06:18.496652  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:06:02.382105  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:05:54.376394  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443

17.x.x.x numbers are Apple.

Does this info help?

Thanks, James.
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

user8446
Administrator
Comment out this line in your snort config:

include $PREPROC_RULE_PATH/decoder.rules
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Roadrunnere42
In reply to this post by James Brown
James Brown

Just a thought but you could changes the rules from drop to alert to see if it's the rules are causing the problem, in the fw_upgrade script you can just change the line from

sed -i 's/alert /drop /' /mnt/ramdisk/alert.list

to

sed -i 's/drop /alert /'  /etc/snort/rules/snort.rules

then run sh/sbin/fw_upgrade

this will change drop to alert which should  shown as alart in the log and not stop any traffic, this way you can test if it's snort causing the problem, hope this helps.


roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

Gnomad
In reply to this post by user8446
user8446 wrote
Comment out this line in your snort config:
include $PREPROC_RULE_PATH/decoder.rules
Thanks for the lead!  I wondered if we could make it a bit more targeted, so I opened up decoder.rules and found:
alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
Instead of commenting out the whole line, I just added 58 to my Exclude Rules tab, and voilà!  iTunes Store is back :)
Router 1.51 SP1, fw_upgrade v8.3.3
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

James Brown
In reply to this post by user8446
Well, I commented out the decoder.rules lines in both Snort 7 & 8, to no avail.

:-(

And there is nothing in the IPS logs for the last 9 hours. I'll reboot the Shield.
Reply | Threaded
Open this post in threaded view
|

Re: Can't access Apple's iCloud/iTunes, etc

user8446
Administrator
This post was updated on .
Are you in bridge? In that case it's snort_bridge.conf or the actual rule SID 58 in the exclude rules as Gnomad mentioned above.
Running in bridge mode, 1.51 SP1 fw