Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
2
Replies

WSA Ironport and iMessage or courier.push.apple.com

pjasa
Level 1
Level 1

‎05-20-2015 09:14 AM

Hi there.  We upgraded to WSA Ironport v8.5.1 about a month ago when reportedly some  iMessage clients stopped working.  iMessage is Apple's text/IM application all rolled into one (im not an iMessage user so forgive my basic description).  The app is impacted only on iMacs and Apple laptops, not on iPhones or iPads (presumably because those go through the cell network as opposed to iMacs and laptops which use the LAN/WAN).  The symptom is that the cliennts cannot send/receive messages after the WSA AsyncOS upgrade to 8.5.1 though we did not change any settings.

After some troubleshooting with two iMessage users,  we see this strange log over and over:

  • May 20 15:52:52 ProxySyslog: Info: 1432137172.189 1 192.168.100.73 NONE/503 0 TCP_CONNECT 17.110.227.9:443 - NONE/courier.push.apple.com - OTHER-NONE-NONE-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - - - - - - 0
  • May 20 15:52:52 ProxySyslog: Info: 1432137172.226 129 192.168.56.198 NONE/503 0 TCP_CONNECT 17.172.238.38:443 - NONE/courier.push.apple.com - OTHER-NONE-NONE-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - - - - - - 0
  • May 20 15:52:52 ProxySyslog: Info: 1432137172.254 6 192.168.56.164 NONE/503 0 TCP_CONNECT 17.143.161.222:443 - NONE/courier.push.apple.com - OTHER-NONE-NONE-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - - - - - - 0

which we know to represent the HTTP error code 503 for "Service Unavailable", however we've seen these errors in the past with cypher issues and other issues related to SSL.   Strangely enough the "courier.push.apple.com"  URL does not resolve to any IP so it is not a valid DNS name (not sure how it is resolving at all - but see dig to 8.8.8.8 pasted below in case this is doubted) and the Apple IP addresses in the 17.0.0.0/8 block do not have PTR records.   My question is whether anyone has had similar issues on WSA with iMessage, and if so what did you do to resolve these?  Thanks.

 

[user@Linux ~]$ dig @8.8.8.8 courier.push.apple.com

; <<>> DiG 9.3.4-P1 <<>> @8.8.8.8 courier.push.apple.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;courier.push.apple.com.                IN      A

;; ANSWER SECTION:
courier.push.apple.com. 235     IN      CNAME   courier-push-apple.com.akadns.net.

;; AUTHORITY SECTION:
akadns.net.             179     IN      SOA     internal.akadns.net. hostmaster.akamai.com. 1432137946 90000 90000 90000 180

;; Query time: 227 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 20 09:05:46 2015
;; MSG SIZE  rcvd: 150


[user@Linux ~]$ dig @8.8.8.8 courier-push-apple.com.akadns.net

; <<>> DiG 9.3.4-P1 <<>> @8.8.8.8 courier-push-apple.com.akadns.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38762
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;courier-push-apple.com.akadns.net. IN  A

;; AUTHORITY SECTION:
akadns.net.             179     IN      SOA     internal.akadns.net. hostmaster.akamai.com. 1432137978 90000 90000 90000 180

;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 20 09:06:18 2015
;; MSG SIZE  rcvd: 117

 

Labels:
0 Helpful
2 Replies 2

pjasa
Level 1
Level 1

‎06-10-2015 03:28 PM

This has been linked to the following bug:  CSCuj04486

No ETA as of yet, the workaround implemented was the following:

IMESSAGES WORKAROUND TO GET SMS TEXT TO WORK (Excludes MMS)

  1. Add these to a custom category  so they’re not filtered AT ALL:
    1. 17.0.0.0/8, .push.apple.com, push.apple.com, .akamaiedge.net, .apple.com, apple.com
  2. Modify a static DNS entry on the WSA:
    1. dnsconfig > localhosts > add the courier.push.apple.com entry
      1. NOTE:   “localhosts” is a HIDDEN COMMAND UNDER dnsconfig!!! Type it after entering the dnsconfig menu.

Choose the operation you want to perform:

NEW - Add new local IP to host mapping.

DELETE - Delete an existing mapping.

[]> new

 

Enter the IP address of the host you are adding.

[]> 17.172.233.123

 

Enter the canonical host name and any additional aliases (separate values with spaces)

[]> courier.push.apple.com

 

 

 

 

0 Helpful

tahscolony
Level 1
Level 1

‎07-01-2015 01:54 PM

I have had similar issues, not with imessage, but with an application that uses https. First IP would passthrough, the rest of them would get similar messages as yours with OTHER-NONE. I had TAC look into it and try different things, including bypassing authentication for the client IP to no avail.  I finally said screw it and added the 5 IP's the client uses to the bypass list. Problem solved.

0 Helpful
Customers Also Viewed These Support Documents