Can't access Apple's iCloud/iTunes, etc

Anyone else having problems logging into Apple services? Eg iCloud, iBooks Store, iTunes, etc.

At the Sign In dialog box, I enter my Apple ID and Password, and click Sign In. It comes back with "There was an error connecting to the Apple ID server" in red.

I've turned off IPS and Web Filter to no avail.

I've put iCloud.com and apple.com in the Web Filter Whitelist anyway, but it makes no difference.

Any suggestions?

(on 1.5SP1)

Thanks,

James.

CONTENTS DELETED

It's green. I can access iCloud through the web no problems. It's applications like iBooks, iTunes, Photos, etc that say they can't access the Apple servers. I've turned off IPS, but still nothing. Do I have to press 'Save & Apply' after doing this? If I do it seems to turn it back on.

All I can see in the IPS logs are:

02/26-00:02:18.477198  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:62691 -> 17.140.27.6:443

Do I just put 116:58:1 in the Exclude Rules tab and press Save & Apply?

I seem to remember this happening and posting solution on the old Itus forums. Are they searchable somewhere?

Thanks,

James.

There was a thread called "Intrusion Prevention Rule 2017005 Blocking downloads": index-129.htm

Breda made a copy of the packetinspector forum: dropbox

Thanks Hans.

Looks like that thread refers to Suricata, and Shield is using Snort now.

Thanks for the link to the Breda copy - I'll see if I can find anything there.

James.

From my email notifications from the old Itus forums I found that the title of the thread was, "Apple's App Store - can't download." but searching in Breda's copy doesn't find it.

Can anyone find that? Here's an excerpt from the email notification:
****
SilentWolf Wrote: (09-13-2015, 10:55 PM)
--

jlbrown Wrote: (09-13-2015, 06:51 AM)
--
Well, I'm emb... (visit the thread to read more..)
------------------------------------------

To view the thread, you can go to the following URL:
https://packetinspector.org/showthread.php?tid=301&action=newpost
***

Thanks,

James.

CONTENTS DELETED

SSL indicator for https://www.icloud.com is green for me too, and I'm having similar issues in that iTunes for Windows 10 can't access the iTunes Store or program updates.  But the store is accessible from iOS devices and app updates seem to run okay.

James Brown wrote

Do I just put 116:58:1 in the Exclude Rules tab and press Save & Apply?

From other replies here, I think 2017005 is the number to try within the Exclude Rules tab, assuming Suricata rule IDs match Snort rule IDs..
Can anyone confirm?

Yes, the SID #'s are the same.

Thanks, put 2017005 in the Exclude Rules section. Save & Apply.

No change. :-(

iBooks still says, "There was an error connecting to the Apple ID server."

The IPS logs say:

3/09-23:06:50.861600  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:06:18.496652  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:06:02.382105  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443
03/09-23:05:54.376394  [Drop] [**] [116:58:1] (snort_decoder) WARNING: Experimental Tcp Options found [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.10.10.110:52781 -> 17.140.27.6:443

17.x.x.x numbers are Apple.

Does this info help?

Thanks, James.

Comment out this line in your snort config:

include $PREPROC_RULE_PATH/decoder.rules

James Brown

Just a thought but you could changes the rules from drop to alert to see if it's the rules are causing the problem, in the fw_upgrade script you can just change the line from

sed -i 's/alert /drop /' /mnt/ramdisk/alert.list

to

sed -i 's/drop /alert /'  /etc/snort/rules/snort.rules

then run sh/sbin/fw_upgrade

this will change drop to alert which should  shown as alart in the log and not stop any traffic, this way you can test if it's snort causing the problem, hope this helps.


roadrunnere42

user8446 wrote

Comment out this line in your snort config:
include $PREPROC_RULE_PATH/decoder.rules

Thanks for the lead!  I wondered if we could make it a bit more targeted, so I opened up decoder.rules and found:

alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )

Instead of commenting out the whole line, I just added 58 to my Exclude Rules tab, and voilà!  iTunes Store is back :)

Well, I commented out the decoder.rules lines in both Snort 7 & 8, to no avail.

:-(

And there is nothing in the IPS logs for the last 9 hours. I'll reboot the Shield.

Are you in bridge? In that case it's snort_bridge.conf or the actual rule SID 58 in the exclude rules as Gnomad mentioned above.