TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Main TiVo Forums > TiVo Help Center
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 09-04-2013, 04:21 PM   #1
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
Tivo and SonicWall Firmware 5.9.x IPS Download Issue Solution

So,

I just spent server hours on the phone with SonicWall, as my Firewall / IPS was not allowing the download of the Tivo program updates.

I had recently updated to firmware 5.9.x on the SonicWall, and the IPS (Intrusion Prevention System) was block the Tivo programming update as a LOW LEVEL MALWARE ATTACK!

So, either the new firmware or the latest signatures for the latest firmware (5.9 at this posting), was causing the issue.

Unfortunately, you only have two options with a SonicWall:

1) Allow the Tivos to by-pass the IPS system completely. (Do you trust Tivo?)

2) Turn off the Low Priority Attacks setting on the SonicWall IPS.

Unlike a Palo Alto or Tipping Point, it appears that a common SonicWall (e.g. small business one) can not be set to allow a specific tripped rule to be turned off for a specific network object.

[At least that's what they told me... which doesn't make sense...]
Attached Images
File Type: jpg SonicWall5_9_IPS_Tivo.jpg (9.5 KB, 34 views)
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 09-04-2013, 09:16 PM   #2
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
I take it all back, It appears that you cannot have the IPS Turned on for the LAN segment.

There is something that the TiVo is doing that is being considered some sort of attack or malware and it is being blocked by the IPS and version 5.9 of the SonicWallOS software.

Oddly, even if you exclude the TiVos from the IPS by designating them with static IP addresses and placing them in the IPS exclusion list, they will still fail to get their programming updates.

Of course, the WANN segment of the sonic wall is turned on for IPS and all the other goodies the sonicwall does but, it seems kind of strange that you can't turn the IPS on the LAN segment.

I guess it's time to do a full packet capture of what the TiVos are sending out on the web and receiving from the web in order to determine exactly what malware signature or virus signature or whatever is causing them have IP packets dropped.
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 09-04-2013, 09:22 PM   #3
kdmorse
Registered User
 
kdmorse's Avatar
 
Join Date: Jan 2001
Location: Germantown, MD
Posts: 4,256
I wonder if it's a remanifestation of this old (2005) problem report:

Quote:
Just wanted to let folks know that there is a problem with connecting to the Tivo service if you use the latest firmware for the Sonicwall TZ170. Basically, everything was fine using version 2.5.0.2e of TZ 170 SonicOS Enhanced. When I "upgraded" the firmware to the latest version, 2.5.0.6e, my Tivo's could no longer connect to the Tivo server even though the access rules on the firewall were exactly the same. This problem manifests with the infamous "Failed while negotiating" message.
Of course it could also be completely unrelated.
__________________
"I disapprove of what you say, but I will defend to the death your right to say it"
"Stop slouching! It's two O'clock in the afternoon, PUT PANTS ON!"
"Statistically speaking, there are two Popes per square kilometer in Vatican City..."
kdmorse is offline   Reply With Quote
Old 09-04-2013, 09:44 PM   #4
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
Ahhhhh.... Another Deutschstadter!


Howdy neighbor! I'm going to call and ask for an American tomorrow... Someone that can handle giving a systems engineer the low down on how the sonic wall should be properly setup.

The IPS has almost no information exception for how to buy a license in e manual!

...and the guy didn't want to believe it could possibly be the SonicWall.

Let alone the fact that the only actual PC I have is so locked down that he could not get their remote access (webex) to wok...

"Please use chrome instead of IE"

"You understand that I don't have JAVA installed,mor Chrome,,or flash, etc... Right? And I'm not going to be installing them... So why don't you tell me what to do, and I'll take some screen shots, and send you a limited packet capture. Then I want it analyzed, and I want you to tell me exactly which IPS rule is being triggered, and how we allow an exception for only the TiVos..."

Crickets, and whining...
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 09-17-2013, 12:44 AM   #5
mystikal1
Registered User
 
Join Date: Sep 2013
Location: San Antonio, TX
Posts: 1
Have you heard anything on this. I am having the exact same problem. Was pulling my hair out thinking it was me until I saw this post..
mystikal1 is offline   Reply With Quote
Old 09-19-2013, 10:09 PM   #6
LTrain425
Registered User
 
Join Date: Sep 2013
Posts: 1
Thank you for posting this, I had the exact problem on a NSA 240 that I just upgraded to 5.9. I downgraded to 5.8 and it's working again.

Downgrading required a factory reset of the SonicWall, something in 5.9 saved config did not allow 5.8 to boot. Not too bad since I don't have much in the way of configuration in my SonicWall, but if you have a complex config with forwards be warned that a downgrade may require a full wipe and rebuild.
LTrain425 is offline   Reply With Quote
Old 09-24-2013, 08:33 AM   #7
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
Folks,

My current case number is 02645462 and I suggest you call Sonicwall / Dell and open one as well.

The issue at hand is that their technical support wants to use work arounds, as opposed to fix the problem.

They have clearly fixed it previously, and the workaround basically means that you need to isolate the TiVos and loose all of the tablet remote functionality, etc.

(The work around is to put the TiVos on a separate network, then give them new DHCP IP addresses, and disable all IPS related functionality on that network. Obviously, it's unwise to open traffic between LAN1 and LAN2 (LAN2 being the TiVo network), as the entire reason for having an IPS on your primary LAN is to prevent network intrusion, etc.)
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 09-24-2013, 11:36 PM   #8
ewjreplay
Registered User
 
Join Date: Oct 2008
Posts: 8
I use a Sonicwall TZ215 and have the same issue. At first I thought it was TIvo, then I thought it was me (not setting up the Sonicwall right) and now from testing I know it is the Sonicwall.

The downloads work when my Linksys is used. It did not work when I had my Sonicwall wide open all ports/no filters LAN/WAN etc.

I also noticed a 18% drop in throughput and internet speed with the new firmware.

I have reported both to Sonicwall; my first report since 2009 on Monday morning via email. Considering I have this (and others) with TotalSecure I assumed they would get back to me within 24 hours. If I do not hear from them by noon Wednesday I will call them.

Either way I will let you know what I hear back.



Quote:
Originally Posted by Gerhard View Post
So,

I just spent server hours on the phone with SonicWall, as my Firewall / IPS was not allowing the download of the Tivo program updates.

I had recently updated to firmware 5.9.x on the SonicWall, and the IPS (Intrusion Prevention System) was block the Tivo programming update as a LOW LEVEL MALWARE ATTACK!

So, either the new firmware or the latest signatures for the latest firmware (5.9 at this posting), was causing the issue.

Unfortunately, you only have two options with a SonicWall:

1) Allow the Tivos to by-pass the IPS system completely. (Do you trust Tivo?)

2) Turn off the Low Priority Attacks setting on the SonicWall IPS.

Unlike a Palo Alto or Tipping Point, it appears that a common SonicWall (e.g. small business one) can not be set to allow a specific tripped rule to be turned off for a specific network object.

[At least that's what they told me... which doesn't make sense...]


Last edited by ewjreplay : 09-24-2013 at 11:52 PM.
ewjreplay is offline   Reply With Quote
Old 09-24-2013, 11:48 PM   #9
ewjreplay
Registered User
 
Join Date: Oct 2008
Posts: 8
I did that and still had connection problems plus I want my TiVo on a network with my xbox and home wireless for guest. Basically they are asking you to turn part of your router into a 3 year old $80 Linksys router.

Quote:
Originally Posted by Gerhard View Post
Folks

My current case number is 02645462 and I suggest you call Sonicwall / Dell and open one as well.

The issue at hand is that their technical support wants to use work arounds, as opposed to fix the problem.

They have clearly fixed it previously, and the workaround basically means that you need to isolate the TiVos and loose all of the tablet remote functionality, etc.

(The work around is to put the TiVos on a separate network, then give them new DHCP IP addresses, and disable all IPS related functionality on that network. Obviously, it's unwise to open traffic between LAN1 and LAN2 (LAN2 being the TiVo network), as the entire reason for having an IPS on your primary LAN is to prevent network intrusion, etc.)

ewjreplay is offline   Reply With Quote
Old 09-25-2013, 11:19 AM   #10
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
I posted a link to this thread and pointed out that I'm not the only person with this issue...

I have been asked for full blown packet dumps (again)... Tell your tech to look at my case, as I've got screen caps in there, and packet caps, and such from the Tivo to the WAN.
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 10-25-2013, 07:45 AM   #11
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
Folks,

I've got to start by saying that sonicwall has horrible technical support.

Basically, no matter what I say to them, they can't answer my questions.

What I said to them was this (I'm an systems engineer):

1) What rule is being violated by the Tivo's that is causing the issue?

2) How to I add an exception for specific MAC addresses?

3) Why when I perform adding exceptions does it not work?

Right now I'm waiting to see if the new firmware works properly, but the initial solution was to put the Tivo's on their own VLAN and use a separate port on the SonicWall with the IPS/Malware checking disabled.
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Old 11-01-2013, 12:11 AM   #12
scb87
Registered User
 
Join Date: Nov 2013
Posts: 1
FYI only, I just spent the past 2 weeks debugging this very issue. Like most of you, once I upgrade my firmware from 5.8 to 5.9, the Tivo Program Guide would no longer download. So, after trying to get Sonicwall to tell me which 'rule' was blocking it, by process of elimination we've determined that it was the Content Filtering System (CFS) that was blocking it. I've since created an exception list of the Tivo's IP and it's back to working. I'm still waiting for them to tell me what the actual problem is tho.
scb87 is offline   Reply With Quote
Old 11-08-2013, 05:26 PM   #13
GreggS
Registered User
 
Join Date: Nov 2013
Posts: 1
One solution...

It is possible to exclude the TIVO services from IPS.

1) Under Address Objects create three range objects tied to the WAN zone
208.73.180.0 - 208.73.183.255
204.176.49.0 - 204.176.49.127
206.112.115.0 - 206.112.115.255

2) Under Address Objects create a group object that contains the three range objects created in step 1

3) On the Intrusion Prevention page, click Configure IPS settings. Select the "Enable IPS Exclusion List" checkbox. Select the "Use Address Object" radio button. Select the Group object created in step 2. Click OK.

4) On the Content Filter page scroll down to the CFS Exclusion List section. Check the "Enable CFS Exclusion List" checkbox then select the group object you created in step 2. Click Apply at the top of the page

What you are doing is telling the SonicWall that the IP addresses that belong to TiVo are ok to exclude from CF & IPS processing. Entering the IP addresses (or MAC addresses) of your TiVo boxes won't do it.

I would still like to see this fixed so that IPS and CF can be turned back on for these IP addresses, but at least this leaves your TiVo boxes on the same network as the rest of your equipment.

Last edited by GreggS : 11-09-2013 at 02:55 PM. Reason: Change to improve instructions.
GreggS is offline   Reply With Quote
Old 11-12-2013, 09:10 PM   #14
wcs1236
Registered User
 
Join Date: Nov 2013
Posts: 1
This seems to have worked for me

Quote:
Originally Posted by GreggS View Post
It is possible to exclude the TIVO services from IPS.

1) Under Address Objects create three range objects tied to the WAN zone
208.73.180.0 - 208.73.183.255
204.176.49.0 - 204.176.49.127
206.112.115.0 - 206.112.115.255

2) Under Address Objects create a group object that contains the three range objects created in step 1

3) On the Intrusion Prevention page, click Configure IPS settings. Select the "Enable IPS Exclusion List" checkbox. Select the "Use Address Object" radio button. Select the Group object created in step 2. Click OK.

4) On the Content Filter page scroll down to the CFS Exclusion List section. Check the "Enable CFS Exclusion List" checkbox then select the group object you created in step 2. Click Apply at the top of the page

What you are doing is telling the SonicWall that the IP addresses that belong to TiVo are ok to exclude from CF & IPS processing. Entering the IP addresses (or MAC addresses) of your TiVo boxes won't do it.

I would still like to see this fixed so that IPS and CF can be turned back on for these IP addresses, but at least this leaves your TiVo boxes on the same network as the rest of your equipment.
Great job in figuring this out and explaining it!
wcs1236 is offline   Reply With Quote
Old 12-03-2013, 06:37 PM   #15
lcberry
Registered User
 
Join Date: Mar 2003
Posts: 2
Dead on Greg! Worked for me on my TZ200 with 5.9 OS.
lcberry is offline   Reply With Quote
Old 12-03-2013, 10:36 PM   #16
techbrute
Registered User
 
Join Date: Dec 2007
Posts: 3
Outstanding info. Now I just have to wait for the TiVo service to be fixed before I can actually test this.
techbrute is offline   Reply With Quote
Old 12-04-2013, 08:25 AM   #17
techbrute
Registered User
 
Join Date: Dec 2007
Posts: 3
Ok, the service was up this morning when I woke, so I tried connecting and it worked. Thanks so much for the info!
techbrute is offline   Reply With Quote
Old 12-16-2013, 12:14 PM   #18
vmiikhelson
Registered User
 
Join Date: Feb 2006
Posts: 1
Disabling CFS in 5.9.x for TiVo's IP is sufficient

Quote:
Originally Posted by scb87 View Post
FYI only, I just spent the past 2 weeks debugging this very issue. Like most of you, once I upgrade my firmware from 5.8 to 5.9, the Tivo Program Guide would no longer download. So, after trying to get Sonicwall to tell me which 'rule' was blocking it, by process of elimination we've determined that it was the Content Filtering System (CFS) that was blocking it. I've since created an exception list of the Tivo's IP and it's back to working. I'm still waiting for them to tell me what the actual problem is tho.
Hi scb87,

Thank you for the hint. It reminded me an old SonicWall CFS issue with Stamps.com.

All in all, I have excluded SonicWall from CFS and update worked immediately. It is much better than excluding it from IPS.

Thank you,
Vladimir
vmiikhelson is offline   Reply With Quote
Old 01-15-2014, 05:42 PM   #19
tomatillo
Registered User
 
Join Date: Jun 2003
Posts: 2
Remove Content Filter To Resolve

Network -> Zones -> LAN -> remove Content Filtering if enabled. TiVo downloads will work again.
tomatillo is offline   Reply With Quote
Old 08-07-2014, 11:43 PM   #20
microtel
Registered User
 
Join Date: Jul 2014
Posts: 2
Quote:
Originally Posted by tomatillo View Post
Network -> Zones -> LAN -> remove Content Filtering if enabled. TiVo downloads will work again.
BTW I have worked on dealing with this issue last year as well before going back to older firmware on the Sonicwall. Now I have had to update the device for other reasons and simply disabling the Content Filtering is not an option - If you have a Sonicwall at home, it is for a reason, Content Filtering is one big part of that reason for many, not to mention all the advanced protections the device offers. I would not recommend anyone do that to get around the issue, it would be better to go back to 5.8
microtel is offline   Reply With Quote
Old 08-07-2014, 11:47 PM   #21
microtel
Registered User
 
Join Date: Jul 2014
Posts: 2
Quote:
Originally Posted by GreggS View Post
It is possible to exclude the TIVO services from IPS.

1) Under Address Objects create three range objects tied to the WAN zone
208.73.180.0 - 208.73.183.255
204.176.49.0 - 204.176.49.127
206.112.115.0 - 206.112.115.255

2) Under Address Objects create a group object that contains the three range objects created in step 1

3) On the Intrusion Prevention page, click Configure IPS settings. Select the "Enable IPS Exclusion List" checkbox. Select the "Use Address Object" radio button. Select the Group object created in step 2. Click OK.

4) On the Content Filter page scroll down to the CFS Exclusion List section. Check the "Enable CFS Exclusion List" checkbox then select the group object you created in step 2. Click Apply at the top of the page

What you are doing is telling the SonicWall that the IP addresses that belong to TiVo are ok to exclude from CF & IPS processing. Entering the IP addresses (or MAC addresses) of your TiVo boxes won't do it.

I would still like to see this fixed so that IPS and CF can be turned back on for these IP addresses, but at least this leaves your TiVo boxes on the same network as the rest of your equipment.

Is there a more specific list of Tivo IP addresses out there that you are aware of? These ranges are very broad and could open you up to something, are all of these addresses confirmed Tivo's?
microtel is offline   Reply With Quote
Old 08-08-2014, 12:55 PM   #22
Gerhard
Registered User
 
Join Date: Sep 2002
Posts: 230
I don't know about the more specific list of Tivo service IPs on the internet.

However, I do know that the SonicWall tech support folks are fairly poor at best.

The process for determining what rule is being tripped is to:

1) Perform a packet capture for the IP address of the Tivo that is failing

2) In the packet capture log, it's going to tell you why it's being blocked.

3) Then, you need to go to the Logs (located in a different place in the SonicWall UI) and filter for the rule being triggered (ex. "Network").

4) Once you know the rule being tripped, you can go back to the IPS UI under the Security UI, and search for that specific signature (rule).

5) Once you find that rule, you can turn it off, or change the settings.

It took me MONTHS to get someone to tell me how that worked on the SonicWall. No ONE of their technical support people could tell me that.

In the end, I setup another zone for the appliances, and separated them off to their own network. So the Tivos get a different policy from the rest of the systems in the house... but the computers are all serverly locked down.
__________________
3 x Tivo Premier Units
1 x TivoHD unit

Every seen the movie office space? These Tivos are in the Xerox II graveyard:

2 x Tivo (original)
2 x Tivo2
1 x Tivo3 750GB
1 x TiVo HD 1.2TB
Gerhard is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 12:06 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |