3 Replies Latest reply on Oct 27, 2011 11:12 AM by PhilM

    Large OSX updates failing

      Has anyone had a problem with large Apple IOS updates failing, A customer has a couple new Macbooks and only the large updates are failing, ie a new Itunes and iPad update. A Windows machine on the same network hasn't had a problem doing the same update in the past.

       

      The rule permits the clients to use a group of proxy services (80, 443, others, but not any specific apple protocols like bonjour) to the external burbs.

       

      Can anyone pass on some troubleshooting ideas to assist in troubleshooting packet flow through the firewall? 

       

      I understand the tcpdump and viewing the audit log.

       

      I'm wondering about a tool like packet tracer for the ASA,  that can allow you to see each step a packet takes through the firewall, the rules it hits, the inspections, the modification and routing that happens to the packet.

        • 1. Re: Large OSX updates failing
          PhilM

          Robert,

           

          Can you confirm which version of the Firewall you are running?

           

          Does the download process fail immediately or after a period of time? If it's the latter is it roughly the same each time it fails?

           

          Unfortunately I don't have any Apple products on my own network to perform any comparative testing. However, I regularly download DVD-sized ISOs (I'm assuming that IOS isn't quite that large) without any problem.

           

          My guess is that the update process may be using ports 80 or 443, but isn't adhering to the protocol RFC which is causing the Firewall to deny the connection and for the download to fail. If this is the case I would expect to see "Protocol Violation" audit records appearing when one of these devices tries to perform an update.

           

          Phil.

          • 2. Re: Large OSX updates failing

            Phil,

             

            Thanks for the response. The version is 7 ( I meant to put that in the intial post). It fails after a long period of time. typically the same point every time for each of the downloads. I start getting a lot of dup acks from the firewall, but this link is not congested.  yea this is like 100mb no a 4gb iso. It's using port 80.

             

            My next step is to drop the application defense to none and check it. To your point of the RFC violation, I would think the protocol violation would still be triggered with no application defense and the way around that would be a packet filter? That would be an interesting decision for someone.

            • 3. Re: Large OSX updates failing
              PhilM

              No - if you've moved the slider bar in the rule down to the bottom, it should be acting as a packet filter. Therefore the only RFC checks I would imagine it will try to perform is to ensure that is at least sized and shaped like a TCP packet. Having re-read your response, I get the feeling that it's currently in the middle. As I understand it, this disables the layer-7 side of things, but it will still use a transparent proxy service to handle the connection.

               

              You've said version 7, but not the patch level. You may need to raise a ticket with McAfee support to get to the bottom of this. They may recommend that you install a hotfix, and they'll be able to tell you which one.