Is my MX blocking iOS messages with media?

Solved
bayleafmedia
Here to help

Is my MX blocking iOS messages with media?

I am beginning to look into an issue that has developed over here where no one on any wifi network with an ios device can send messages with media associated to them. Regular messages using Apple messages work fine, but when anyone sends a video or image the associated image or video does not send and the user receives an error that the message cannot send.

 

We are in a mixed network environment and will be troubleshooting our switching a wifi equipment, but my first belief is that this is sitting in my MX.

 

I don't believe this is a Systems Manager issue. The vast majority of these devices have no profile installed. The ones that do have a profile are allowed to use this program.

 

Would any of you have a thoughts of where I should look as I begin this search?

 

thanks

 

1 Accepted Solution
bayleafmedia
Here to help

The issue here is a layer 7 firewall setting on my teacher group policy. It blocks all online back up (specifically icloud online backup). removing the icloud online backup block allows media sending over apple messages.

 

For anyone else who has this issue, this seemed to solve it for me.

 

thanks for the help everyone.

 

 

View solution in original post

16 Replies 16
jdsilva
Kind of a big deal

You could try disabling AMP as a quick test and see if it works. AMP's been known to block things it shouldn't from time to time. Also, what version are you on? If you're not on 14.x then I would suggest you get there as it has a lot of AMP related fixes. 

 

Failing all that, you can bust out the packet sniffer and see if you can see traffic egressing your MX. 

PhilipDAth
Kind of a big deal
Kind of a big deal

The traffic is all encrypted between the mobile and Apple.  Consequently the MX can not know if it is an ordinary iMessage or some media.

 

The MX can not treat these two types of traffic differently.

bayleafmedia
Here to help

Thanks guys, I appreciate the help. I've narrowed it down to VLANs specifically controlled in all ways by the MX. VLANS that have DHCP and DNS handled by a server are unaffected. I am going to investigate policies and break out the packet sniffer and update this thread.

 

thanks

bayleafmedia
Here to help

I've done several packet captures now.

 

With Media attached: Apple Messages on these networks is having "Spurious retransmission", "TCP Previous segment not captured",  and "TCP ACKed unseen segment" and "TCP Dup ACK" errors when sending media over these networks.

 

Without Media attached: Apple messages on these networks is not having "Spurious retransmission" "TCP Dup ACK"

 

I don't know if that is helpful at all. I must admit I am not the best with wireshark.

 

 

with mediawith mediawithout mediawithout media

"Screenshots of two packet captures' graphical representation of events, one with media and the other without."

 

 

I have moved a teacher off their network (meraki controlled) to our staff network (server controlled) and they are able to send and receive media. I put them back on Teacher and they are not . If I whitelist any of these phones in the MX, media is then able to be sent and received over Messages. So it's definitely a configuration setting blocking only media in Apple messages on these networks. So, now I'm not thinking it is a server/meraki differentiation, but a network/network differentiation.

 

I have disabled AMP, I have also disabled all traffic shaping rules. I am beginning to come to a loss here. I am heading out for the day, and will reapproach this tomorrow afternoon and attempted to go through every setting I can think of on one of these networks.

 

Any other pointers would be appreciated.

 

thanks again

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you running 14.x or better on your MX?

bayleafmedia
Here to help

That would have been a good question to answer: 14.38

bayleafmedia
Here to help

The issue here is a layer 7 firewall setting on my teacher group policy. It blocks all online back up (specifically icloud online backup). removing the icloud online backup block allows media sending over apple messages.

 

For anyone else who has this issue, this seemed to solve it for me.

 

thanks for the help everyone.

 

 

RumorConsumer
Head in the Cloud

Is this still what you believe fixed it?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
bayleafmedia
Here to help

I do believe it is what fixed it. This was a long time issue for us. We did not have functioning media sending on iphones using iMessage for at least a month, and at the time of writing my solution above I was able to re-enable the icloud backup block and cause all imessage transactions with media to fail. Disabling the function allowed media messages to pass through. I flipped the switch several times to check and double check with the same results each time. However, that being said... Now that I am on v14.40 I cannot get media messages to fail at all. Sorry I can't be of more help.
bayleafmedia
Here to help

Hi Rumor, I do. at the time of posting my solution I was able to toggle the icloud backup block several times and either produce the issue or allow sending on my end. However... now that I am on v14.40 I am unable to get imessages with media to fail at all. Sorry that isn't much help.
RumorConsumer
Head in the Cloud

Thanks. So if i understand correctly, v14.40 allows you to turn on iCloud backup blocking while being able to properly send iMessages with or without attachements. Is that correct? In other words, iCloud backup is safe for iMessage?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
bayleafmedia
Here to help

It worked for me this morning. I tried it twice.
RumorConsumer
Head in the Cloud

I just enabled iCloud backup blocking on my wireless firewall pane under layer 7 rules and it killed iMessage attachments instantly. Anybody know a workaround?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
bayleafmedia
Here to help

Yes, I can confirm this is still an issue for me.

 

Earlier today I applied the block to a group policy my phone didn't belong :). as of v14.40 I still suffer from this issue... if I envoke it.

 

I am going to throttle this and try again later.

bayleafmedia
Here to help

Throttling seems to work as a workaround to allow you to send messages with media while also limiting the amount of online backup that occurs.

 

You should be able to set up a traffic shaping rule for individual groups in group policy settings (Network Wide -> Group Policies -> [desired policy] -> Traffic Shaping)

or do it globally (Security & SD-WAN -> SD-WAN & Traffic Shaping).

 

This doesn't block iCloud backup but it does reduce the bandwidth used. **I have not tested media message sending for large numbers of people while also attempting iCloud backup. That is something you will need to do, but I do hope that if you do it you will post an update here and let us know how it goes.

ABaker
Here to help

This issue hit me too.  There are firewall setting under the wireless tab separate from the rest of the firewall settings, which is annoying. The folks with an iPhone were having trouble sending messages with attachments cause the wireless firewall rule for blocking online backup was enabled. That rule stops iPhones from connecting to iCloud.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels