Access Denied Error when on Xfinity Wifi

@XfinityPaula​ Hardwired has the same issue. 

@user_b5m23x Thank you for testing that as well. I can try to run through some things on my side, most of it will be the basic steps your have taken already, but I can try to create a ticket for us instead of booking the repair appointment. Please send us a direct message with your name and service address. I am happy to dig into this and help find the resolution. 

To send a direct message, please click on the chat icon in the top-right corner of the screen, and select "Xfinity Support" to initiate a live chat. 
Click "Sign In" if necessary
Click the "direct messaging" icon or https://comca.st/3J0ir1l
Click the "New message" (pencil and paper) icon
Type "Xfinity Support" in the "To:" line and select "Xfinity Support" from the drop-down list which appears. The "Xfinity Support" graphic replaces the "To:" line
Type your message in the text area near the bottom of the window
Press Enter to send it

I am having this same issue. 

I turned my modem off overnight and got a new ip address and that fixed it for a few days but now the issue came back even on the new ip. 

This is definitely an xfinity issue.

I don't use an xfinity gateway so the xfinity reps insisted that it's my modem/router.

@user_b5m23x if I had to guess it started working when switching to a non xfinity gateway because the gateway forced a new ip address to be assigned but it got blocked a short time later.

Something seems to be up

Based on my understanding, This seems to be connected to an akamai web scraping block (for me at least) https://www.akamai.com/newsroom/press-release/akamai-announces-content-protector-to-stop-scraping-attacks

for some reason these sites use akamai for protection and akamai keeps saying that my ip is being used for web scraping.

You can check your ip on their site.

Problem is that xfinity reps are all clueless and anytime you mention ip needing to be renewed by phone or chat they just tell you how to renew your private ip which is useless. 

Not sure why these are called "tech support reps" if they don't understand the basics of how isp and dhcp leases work.

FYI, I am seeing the same issue propagating to additional sites every month. I checked my current public IP at akamai and it is not listed as malicious or suspect, yet the behavior continues, so while that doesn't mean Akamai is not at fault for some cases, clearly they are not the only ones. If I had to hypothesize, given my background in networking and cyber, I suspect that there is a complex issue at play here along the possible line of:

1. Xfinity network is used for malicious purposes or someone clones an Xfinity IP address range when mounting an attack

2. Multiple firewall vendors mark the IP addresses as malicious

3. Eventually those IP addresses get recycled to law abiding customers.

4. Those customers are blocked as the IP addresses are still flagged.

If I am correct then Xfinity has a simple engineering problem where they need to intake reports from vendors and pull malicious IP addresses out of circulation until the flags clear.

@BruceW​ nope. I am fully aware of how sites and the web work. So if my statement doesn't mean much to you then three other IT experts should. One of which works at Siemens and does their networking. All including Xfinity have messed with my house. Plus an Android phone does NOT have anything which you mention above. All Android phones that come into my house have the same problem.

@Kvotenz​ XfinityWifi doesn't come with your normal subscription.  It is an Add-on.  I don't plan to pay for more just to fix a problem that is related to Xfinity's system. 

@ XfinityFrank. The websites that I know of so far are:

Kroger.com

Bjs.com 

Jcpenny.com 

Lowes.com 

Homedepot.com 

United.com

Southwest.com

Cabelas.com 

Basspro.com

@Kvotenz, thanks for checking those and letting us know. When you get a chance, can you send us a direct message so we can take a deeper look into it and get is escalated for the thread?

Test update.  We are now running an Xb6 and an Xb8.  After three days the Xb8 started blocking sites.  The Xb6 is still working fine. Here is one example of a link that gets blocked. 

https://tjmaxx.tjx.com/store/jump/product/Leather-Waterproof-Cap-Toe-Gallivanter-Golf-Shoes/1000862953

Yes in both cases we setup new IP addresses for each line.  They started out working fine, but not now. 

Two of the sites above I am seeing the same problems.  United.com and Southwest.com as well.  I also have problems on the Krispy Kreme and Pizza Hut websites. 

@BruceW​ if you read everything above everyone already knows that Access Denied messages come from the site itself. 

Everyone here also knows that two gateways provide two separate IP addresses.  They have to as each have different MAC addresses.  Next, nothing that is on the Xb8 uses either a firewall, VPN or blocker which would trigger a security alert on TJMax website.  The access denied message comes off a standard Android phone that is used by millions.  As such it's impossible for the Android phone to be setting off any type of firewall block.  The only way an Access Denied would occur in this situation is if the IP address was blacklisted. Well, it isn't as already mentioned above.  Please read all the posts when trying to provide valuable input so information isn't duplicated. 

@BruceW​ well well well.  Here is the end result.  After a year of being a major pain in the proverbial arse to Xfinity, and spending hundreds of hours on this issue, they finally admitted that the problem is NOT me.  (You don't say.)  Here is the real problem, and it's actually occurring in a regional area of the Xfinity network.  That includes Georgia, Florida and some other areas.

All the sites that are blocking me (and others) use the same firewall software.  It is actually a very large number of sites. That software is blocking certain IP addresses that are being used by Xfinity.  When you get a new modem and they issue you a new IP address you run the risk of it eventually getting blocked.  The National Escalation Team at Xfinity has seen this problem before and 4 months were required to have the software company make changes to their firewall.  Who knows how long it will happen again.  The NET also created an Incident Ticket to notify Tiers 1 and 2 of the ongoing problem. Thus they can now stop just blaming the end user, which is their normal routine at Xfinity. (Just look up and read through this post.)

So how did I discover this information? It's because I have been a royal pain to the technical support team and their manager.  If I wasn't in an HOA with a community contract I would not have access to these people.  After over year of fighting them they sent a message to the National Escalation Team which contacted me directly to get information on what I was witnessing.  End result was finally getting the Engineering team to find the problem, and now seek a solution. 

It's sad that an end user has to do the job of Xfinity.  They are a bunch of morons. The company owes me BIG TIME but of course probably won't do anything unless I scream and shout, and shout some more.  Comcast has done some stupid things over the years.  It eventually caused me in the 1990's to use AT&T and vow to NEVER use their company.  However I am now forced to do so with our HOA.  I have no other choice except for Satellite or Cellular Networks both of which are SLOW. 

Your welcome Xfinity!

I am in the Pacific Northwest and seeing the same. Do you have any details on this that you could share? 

@BruceW​ Not true.  I can access the site through the same Wifi using any Apple Phone. If they are blocking the IP address then anything going through that router will get blocked.  It doesn't.  Even when Xfinity tech's arrive their iPhones work fine, but there personal Android phones don't.  As mentioned above already I have had a Siemens IT expert, several Xfinity engineers involved, myself (which is highly educated on networks), and another close friend who has done networking for 20 years.  Everyone says the same thing, it appears to be nothing I am running or doing and something with the Xb8 or downstream through Xfinity.  As of now I have switched everything (except Ring and NEST) over to the Xb6.  So far nothing is being blocked.  Only time will tell if it stays that way.  If so...well..????

Oh, and I am hitting reply, that's why the @BruceW is showing up. If you aren't getting notified it's not the reason you indicate above. 

@user_yio4jw​ here is your problem with that.  Your router's MAC address is assigned an IP by the ISP.  Cloning it to another router doesn't change the underlying problem with Akamai.  Once an IP is tagged to a specific MAC address and then flagged for web scraping you will not be able to access sites with firewall algorithms that use the database for which you are flagged. There is absolutely no solution for you other than to have the ISP give you another IP address, or to have your current IP removed from the web scraping database. I have contacted Aklamai for my scenario and they will not make any adjustment without being contacted by Xfinity.  The problem is with Xfinity and they are the only people that can resolve this issue.

As for my problem, it has not been resolved.  The National Escalation Team at Xfinity is still working on my problem and my ticket has not been closed.  The Engineering team should be working on this issue directly with Akamai, but of course I have no access to them.  I am just hoping, waiting and praying at this point.

We are in the same boat. Xfinity sent out a tech and changed some things including modem.  Worked for two days but now access denied.  DOES ANYONE HAVE A SOLUTION???   This is so annoying.  

@imrobe​ for my problem nothing has changed yet.  Xfinity has been trying to get Akamai to work with them and resolve this problem since it happens to many of their customers.  As of this moment Akamai doesn't seem to really care about fixing the problem.  All we can hope is that Xfinity decides to be a big enough pain in their arse they finally decide to do something.

@Tsmyth2​ Did you check your IP address using both methods?  Most likely only one is being blocked.  You can get blacklisting information online. 

https://whatismyipaddress.com/blacklist-check

Hello @Tsmyth2, thanks for taking the time to reach out to our team on Forums. We value you as a customer and my team is here to support you. I am sorry to hear you're also experiencing issues with your email. My team would be more than happy to further assist you with this.

Just for troubleshooting purposes, the only device you're unable to access the Xfinity email on is your Apple laptop, correct?