Network connectivity issue observed on OS 15.4.1

I’d like to clarify some points.

We are using a Network Extension with a transparent app proxy in our product.

So, to be clear:

• You are shipping a macOS product.

• That includes an app.

• Which contains a transparent proxy system extension.

Is that right.

The user encounters this issue while using our client, but the issue persists even after stopping the client app.

By “client app” you mean your transparent proxy, right?

Which app is “experiencing network issues”? All the apps on the system?

It seems like you’re seeing this:

1. The user has your transparency proxy installed.

2. They update to macOS 15.4.1.

3. The start to encounter network problems.

4. This stop your transparent proxy.

5. Those problems persist.

Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

You are shipping a macOS product. That includes an app. Which contains a transparent proxy system extension.

Yes this is correct.

By “client app” you mean your transparent proxy, right?

Yes

Which app is “experiencing network issues”? All the apps on the system?

None of the apps work — there is no network connectivity, and the user has to restart the system to recover the network. The system and DNS logs shared above indicate that there is no active network interface.

It seems like you’re seeing this

1. The user has your transparency proxy installed.
2. They update to macOS 15.4.1.
3. The start to encounter network problems.
4. This stop your transparent proxy.
5. Those problems persist.

All points are correct except the fourth one. The transparent proxy is not stopped — it continues to run and capture traffic. However, the system has no network connectivity, as explained above. There is no active network interface, and system logs and scutil --dns shows the network is not reachable.

It seems like OS issue.

This issue is mostly observed on M4 devices running iOS 15.4.1.

Thanks for all your answers.

This issue is mostly observed on M4 devices running iOS 15.4.1.

I’m presuming you mean macOS (-:

This issue is mostly observed on M4 devices running iOS 15.4.1.

So, let’s say:

• You set up your transparent proxy to be notified of all flows.

• But configure it to only capture a subset of them, by returning false from your handle-new-flow method.

Once the Mac gets into this failed state, use nc to trigger a connect to a host that is captured by the proxy and a host that isn’t. In that case:

• Is your handle-new-flow method called for both flows?

• Do both flows fail? Or just the one being captured by the proxy?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

In this case, both flows — the one captured by the proxy and the one bypassed — have failed.

There is no network connectivity.

Could this be related to the Wi-Fi 6E issue, which started being supported on M3 and M4 devices running macOS?

In this case, both flows — the one captured by the proxy and the one bypassed — have failed.

OK. And, just to be clear, your handle-new-flow method was called in both cases, right?

Could this be related to the Wi-Fi 6E issue … ?

Well, anything’s possible, but it seems unlikely to me. There’s no obvious connection between NE transparent proxies and Wi-Fi. They’re operating at the exact opposite ends of the networking stack.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK. And, just to be clear, your handle-new-flow method was called in both cases, right?

Yes, handle new flow called for both the cases.

Thanks for the clarification.

In general, a transparent proxy should have no effect if it returns false from the handle-new-flow method. Given that your proxy sees both flows and both fail regardless of what your handle-new-flow method returns, that definitely makes this a bug.

But before I send you off down that path, I wanna check something: Can you reproduce this with just your transparent proxy installed?

A lot of the time when I see problems like this it’s in some ‘fun’ enterprise environment with a really ‘exciting’ configuration. For example, the issue might only show up on a Mac with two transparent proxies, a packet tunnel, and an ES client, all from different vendors. If that’s the case here then I recommend that you first try to reduce the state space to confirm that the issue is specific to your transparent proxy. That’ll make it easier for you to file an actionable bug report.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Our company is a customer who uses this product and is affected by this exact issue on macOS. What happens next? Will a bug report be created?

@SGGHET Yes, it was reported to Apple, and they acknowledged the bug. A fix will be available in the next macOS version.