HomeKit video doorbell triggers VPN interruption

S D · ‎09-13-2024

Hi,

there's an interesting issue that seems pretty reproducible. I am connected to some network outside (not my home's LAN), connected via VPN to my enterprise. Then I realize that somebody rings the Homekit video doorbell at home. This then triggers a AnyConnect / Secure Client reconnect which can take quite a few seconds. I must say that is quite irritating, as it firstly interrupts my network connections (which is annoying when e.g. in a call or when have a large data transfer) and also I would question AnyConnect / Secure Client is a secure VPN solution if it's enough that someone rings my Homekit video doorbell many miles away to interrupt my work or maybe other important matters or do other pranks.

Does anyone have any idea (other than disabling HomeKit please - it's generally useful to learn that the delivery guy just deposited a valuable parcel)?

Thanks!

In the log that's simply looking like that:

13:50:08 Reconnecting to Standard...

13:50:46 Establishing VPN - Examining system...

13:50:46 Establishing VPN - Activating VPN adapter...

13:50:46 Establishing VPN - Configuring system...

13:50:48 Establishing VPN...

13:50:48 Connected to Standard.

13:50:48 Reconnecting to Standard...

13:50:48 Connected to Standard.

13:50:49 Reconnecting to Standard...

13:50:51 Connected to Standard.

bigevilbeard · ‎09-13-2024

A couple of things, if i was looking at this to troubleshoot. When the doorbell is activated, it might be causing a change in your home network's routing, which could potentially conflict with your VPN connection, especially if your VPN is configured to be particularly sensitive to network changes. The other thing i thought of was, like most VPN are set for split-tunnel when the doorbell is activated, it might be triggering the re-evaluation of which traffic should go where, causing the VPN to reconnect.

However this said, if you are not connected to the VPN and your doorbell is activated does this interrupt your wifi/network, are you connected by wifi or wired in. If you have not tested this, hardwire you device to the router with the VPN connected and activate the doorbell, if the problem happens when wired it might be occurring at a different level of your network. This could be a few things, router cpu, nat table overload/flow, IP conflict issue, etc.. there could be more.

Really, the only way i have seen issue such as this resolved is packet captures, however interpreting packet captures can be complex if this is not something you have done before, but it can provides detailed, low-level information about what is happening on your network. If you're not comfortable analyzing it yourself, the capture could be asking your IT department in helping you diagnose the issue.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

S D · ‎09-13-2024

Thanks for the reply. The thing is that the home network (where the doorbell is and where the HomeKit controller is, i.e., some AppleTV or HomePod) should have nothing to with the current network I'm in (not at home) while I'm connected via VPN to the Enterprise network of my company. It seems very odd that something happening at home can affect a totally unrelated VPN connection. It's probably triggered by some iCloud/Apple stuff like the infamous awdl0 interface, but I don't know.

Having said that, I may want to dive deeper and run Wireshark (yes, I have the knowledge to capture and analyze things there). Before asking someone however to ring the doorbell while I am somewhere else and connected to the company VPN I thought it may be good to understand this being a known issue.

bigevilbeard · ‎09-13-2024

Thanks for the added info. To clarify...

You're not on your home network when this occurs (what network are you connected to?)
You're connected to a different network and then to your company's VPN.
The doorbell activity at home somehow affects your remote VPN connection.

Indeed an unusual scenario, for your VPN's behavior and it would suggests that there might be some unexpected interaction between your device's consumer features (like HomeKit) and its enterprise connectivity?

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

S D · ‎09-13-2024

Yes, exactly as you said. Though the network I'm on also belongs to the company it happens afair also at other places. It seems to me like something triggered by the Apple HomeKit notifications (should be delivered via some form of iCloud notifications) manages to control VPN. The full-tunnel I'm on (with some exceptions) seems also to be in the way of Apple's mechanisms to e.g. send a live video stream or simply notifications.

bigevilbeard · ‎09-13-2024

This is a really interesting intersection between consumer IoT ecosystems and enterprise networking solutions. I did a bit of Google magic here and read, Apple uses APNS to deliver notifications across devices, including HomeKit alerts, these notifications can traverse networks and potentially interact with your device even when you're on a different network or behind a VPN. The part you also mentioned on the full VPN, could be possible that the APNS traffic is not part of these exceptions, leading to conflicts (pure guess). Again more Google fu, even iCloud Private Relay, could be adding another layer of complexity to how traffic is routed, potentially conflicting with your VPN.

Next steps are detailed VPN logs around the time of a doorbell event, looking for any messages about route changes, tunnel reassessments, or policy applications.....

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io