I am beginning to look into an issue that has developed over here where no one on any wifi network with an ios device can send messages with media associated to them. Regular messages using Apple messages work fine, but when anyone sends a video or image the associated image or video does not send and the user receives an error that the message cannot send.
We are in a mixed network environment and will be troubleshooting our switching a wifi equipment, but my first belief is that this is sitting in my MX.
I don't believe this is a Systems Manager issue. The vast majority of these devices have no profile installed. The ones that do have a profile are allowed to use this program.
Would any of you have a thoughts of where I should look as I begin this search?
thanks
Solved! Go to solution.
The issue here is a layer 7 firewall setting on my teacher group policy. It blocks all online back up (specifically icloud online backup). removing the icloud online backup block allows media sending over apple messages.
For anyone else who has this issue, this seemed to solve it for me.
thanks for the help everyone.
You could try disabling AMP as a quick test and see if it works. AMP's been known to block things it shouldn't from time to time. Also, what version are you on? If you're not on 14.x then I would suggest you get there as it has a lot of AMP related fixes.
Failing all that, you can bust out the packet sniffer and see if you can see traffic egressing your MX.
The traffic is all encrypted between the mobile and Apple. Consequently the MX can not know if it is an ordinary iMessage or some media.
The MX can not treat these two types of traffic differently.
Thanks guys, I appreciate the help. I've narrowed it down to VLANs specifically controlled in all ways by the MX. VLANS that have DHCP and DNS handled by a server are unaffected. I am going to investigate policies and break out the packet sniffer and update this thread.
thanks
I've done several packet captures now.
With Media attached: Apple Messages on these networks is having "Spurious retransmission", "TCP Previous segment not captured", and "TCP ACKed unseen segment" and "TCP Dup ACK" errors when sending media over these networks.
Without Media attached: Apple messages on these networks is not having "Spurious retransmission" "TCP Dup ACK"
I don't know if that is helpful at all. I must admit I am not the best with wireshark.
"Screenshots of two packet captures' graphical representation of events, one with media and the other without."
I have moved a teacher off their network (meraki controlled) to our staff network (server controlled) and they are able to send and receive media. I put them back on Teacher and they are not . If I whitelist any of these phones in the MX, media is then able to be sent and received over Messages. So it's definitely a configuration setting blocking only media in Apple messages on these networks. So, now I'm not thinking it is a server/meraki differentiation, but a network/network differentiation.
I have disabled AMP, I have also disabled all traffic shaping rules. I am beginning to come to a loss here. I am heading out for the day, and will reapproach this tomorrow afternoon and attempted to go through every setting I can think of on one of these networks.
Any other pointers would be appreciated.
thanks again
Are you running 14.x or better on your MX?
That would have been a good question to answer: 14.38
The issue here is a layer 7 firewall setting on my teacher group policy. It blocks all online back up (specifically icloud online backup). removing the icloud online backup block allows media sending over apple messages.
For anyone else who has this issue, this seemed to solve it for me.
thanks for the help everyone.
Is this still what you believe fixed it?
Thanks. So if i understand correctly, v14.40 allows you to turn on iCloud backup blocking while being able to properly send iMessages with or without attachements. Is that correct? In other words, iCloud backup is safe for iMessage?
I just enabled iCloud backup blocking on my wireless firewall pane under layer 7 rules and it killed iMessage attachments instantly. Anybody know a workaround?
Yes, I can confirm this is still an issue for me.
Earlier today I applied the block to a group policy my phone didn't belong :). as of v14.40 I still suffer from this issue... if I envoke it.
I am going to throttle this and try again later.
Throttling seems to work as a workaround to allow you to send messages with media while also limiting the amount of online backup that occurs.
You should be able to set up a traffic shaping rule for individual groups in group policy settings (Network Wide -> Group Policies -> [desired policy] -> Traffic Shaping)
or do it globally (Security & SD-WAN -> SD-WAN & Traffic Shaping).
This doesn't block iCloud backup but it does reduce the bandwidth used. **I have not tested media message sending for large numbers of people while also attempting iCloud backup. That is something you will need to do, but I do hope that if you do it you will post an update here and let us know how it goes.
This issue hit me too. There are firewall setting under the wireless tab separate from the rest of the firewall settings, which is annoying. The folks with an iPhone were having trouble sending messages with attachments cause the wireless firewall rule for blocking online backup was enabled. That rule stops iPhones from connecting to iCloud.