"Facetime unavailable" message appears trying to make call via WSS
Article ID: 207182
Updated On:
Products
Issue/Introduction
IPSEC tunnel into WSS
Guest users in environment connect to a WiFI access point, and traffic is then tunneled into WSS via IPSEC tunnels
All Web traffic works fine but Facetime and iMessage appears to fail
iMessages are never delivered to the recipient
Facetime calls start but receiver never sees call
"Facetime unavailable" message eventually appears on transmitter side
Cause
Apple uses both TCP 443 (control path) and TCP 5223 (data path) when using either of these two applications
TCP 5223 expects a successful mutual x509 authentication by both parties
When going through WSS, this x509 authentication does not complete successfully
Resolution
1. Need to make sure the following CPL is applied for the tenant
<proxy>
condition=Non_standard_ports detect_protocol(none)
define condition Non_standard_ports
proxy.port=5223
end
2. Need to make sure that the HTTP Port and protocol restrictions do not only apply to Web protocols.
Additional Information
PCAPs on the requests will show that the server cert returned to the IOS device is the WSS certificate and not Apples
PCAPs will also show that the SSL mutual x509 handshake failed to complete successfully
Attachments
Feedback
