Facetime Misbehaves on MacOS w/Warp(Zero Trust)

What is the name of the domain?

apple.com

What is the error number?

None provided, Functionality Issue.

What is the issue you’re encountering

Facetime Dies on WARP // ZeroTrust

What steps have you taken to resolve the issue?

I have not been able to resolve this, and it’s affecting two of my MacOS devices.

While ZeroTrust is enabled, facetime will not function on either device.

It works on the iphones when enabled.

If I disable ZeroTrust, Facetime works well.

I have allowed apple IP and Domain, as well as allowed application “Icloud” and “imessage” in the firewall rules.

I noticed there’s no facetime application available to select.

What are the steps to reproduce the issue?

Listed above.

Have same problem. Downgraded to last working Version: 2024.3.407.0 (20240329.17).

@Cloudflare Is the only option to roll back?

Did you report this via :wbug:? Doing that ensures they get config and diag details.

That option doesn’t exist for this?

We are also seeing this issue and have taken the same steps to attempt to resolve it without success.

If I enable Cloudflare Warp it cannot join or make a call: ‘Call Failed’. Just like the others also mention if I disable Cloudflare it works fine.

macOS 14.6.1
Warp Version 2024.6.474.0 (20240730.24)

There are no policies active which should block this. Does anyone have FaceTime working with Cloudflare enabled?

I managed to got it working by adding a HTTP Firewall policy: No Inspect > Domain > apple.com.

1 Like

this worked great, thanks!

Dot me also… until it didn’t. don’t know why it worked for a while and now it doesn’t anymore. I also included icloud.com into the No inspect rule but it doesn’t connect anymore, untill I switch off Cloudflare Warp Zero-Trust.

Hopefully anyone has any ideas.

1 Like

I’m still struggling with this. It seems it doesn’t connect to a FaceTime link at the firs time, but it does when clicking it for a second time. Also I’m unreachable for Facetime calls when Warp is switched on.

Can anyone confirm they got this working without issues? I’m not on a paid plan so I cannot create a support ticket unfortunately.

Thanks.

Having these issues

1 Like

So, I’ve tracked this down to my Zero Trust account’s ‘Split Tunnels (exclude)’ settings.

I (re)installed Warp from scratch (without logging in to my Zero Trust account) and noticed there were a number of (additional) entries in the Preferences > Advanced > Split Tunnel list, that weren’t in my Zero Trust profile. At that point, all MacOS services were working perfectly too :thinking:

I logged Warp in to my Zero Trust account and things stopped working!

I noticed that from my Cloudflare dashboard, Zero Trust > Settings > Warp Client > Device settings > Default > Configure > Split Tunnels (Exclude IPs and domains) > Manage …
there were a number of items missing.
Manually adding these ‘missing’ items resulted in everything working again across my entire Warp fleet :tada:

One thing to note was that using the “Restore default entries” button DID NOT make my list appear the same as the list from the initial Warp install. I guess the teams responsible for development aren’t in sync with each other. It would be nice if the CF devs could remedy this drift?

Regardless, manually adding the following to my Zero Trust Warp Settings cured all my current Apple woes.

  • 239.255.255.250/32
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23
  • 17.249.0.0/16
  • 17.252.0.0/16
  • 2620:149:a44::/48
  • 2403:300:a42::/48
  • 2403:300:a51::/48
  • 2a01:b740:a42::/48
  • fc00::/7

Hope that helps anyone else that is currently having issues, especially made worse since the recent MacOS 15 upgrade.

6 Likes

Hi, thank you for this valuable discovery!
I find some slight difference on the addresses you provided compared with WARP default list.

  1. 2620:149:a44::/48
  2. 2403:300:a42::/48
  3. 2403:300:a51::/48
  4. 2a01:b740:a42::/48
1 Like

@Stevezzz Many thanks. I’ve corrected the original post :heart:

That’s great! I see you have included the IP’s from Apple’s APNs servers as I received an email from Cloudflare warning that those IP’s should be ignored to ensure proper functioning.

All seems to be working except for 1 thing: FaceTime seems to be working properly but when I create a FaceTime Link (so not ‘New FaceTime’ but ‘Create Link’ to invite multiple persons to join a meeting), it cannot connect unless I switch off the Zero Trust Warp client.

And another question: is excluding IP/domain in the split tunnel the same (result) as creating a ‘Do not inspect’ Firewall policy (Gateway > Firewall Policies > HTTP)?

Thanks.

Hi @job2

Yeah, I got that email today too, which was nice (but a little late this time - hopefully it’s a good sign of things to come). I still think the devs might do well having ‘presets’ available to enable/disable groups of well-known-services, but heh.

I’ve not used FaceTime Link etc, so can’t verify I’m afraid.

Firewall policies, not sure - I don’t have any Firewall policies set so can’t confirm.

1 Like

This is great, thank you. I don’t suppose you have this in blog post form or anything that I can share?

Just adding 17.0.0.0/8 to split tunnel (exclude) did the trick for me.