Hi, Thanks for the answer and sorry for the delay. We managed to get the initial PaymentRequestToken, but failed / timed out in the second step, some tcpdumping showed that: For Test / Sandbox: whitelisting apple-pay-gateway-cert.apple.com does not work as it resolves to Non-authoritative answer: Name: apple-pay-gateway-cert.apple.com Address: 17.171.85.7 But apple pay client talks to 17.171.85.6 (I am guessing the client uses some apple internal DNS or load balancer?) For Production we are still having some similar trouble but a lot more complicated apple-pay-gateway-nc-pod3.apple.com   apple-pay-gateway-nc-pod3.gcsis-apple.com.akadns.net. 30 IN A 17.171.78.135   but client talks to 17.171.78.134 So, we're still trying to keep the CNA working, but not allowing too many apple IPs, but also keep the payment going through. as it turns out the Apple Pay client, also talks to Visa, Mastercard, etc servers. Any additional pointers on more specific ip ranges are most welcome. (as the list at https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server seems at least outdated )

hi and thanks, yes we tried that, but it seems to be only for the MerchantID validation? I'll test again, maybe the error is in our walled garden/nginx config. (its a complex *****...)

Update: well, thanks @isehfbeil it does work, as for whatever reason the roaming does not run anymore.

hi, I don't hope setting your network to less secure is the answer. Although this would fix a lot of problems ;) I think the culprit is: Wed Dec&#9;2 10:04:29.904 Driver Event: <airport[3314]> _bsd_80211_event_callback: APPLE80211_M_ROAM_START (en0) I have the same issue, which is very annoying for video calls. (MBPro 2015/Big Sur and Fritzbox 7580 with Mesh using FB-Extender 3000) No other devices seem to experience this issue. My current knowledge is: Running a ping --apple-time 192.168.188.110 -i 0.1 13:21:12.730147 64 bytes from 192.168.188.110: icmp_seq=3750 ttl=64 time=1.214 ms 13:21:12.836592 64 bytes from 192.168.188.110: icmp_seq=3751 ttl=64 time=3.009 ms Request timeout for icmp_seq 3753snip- Request timeout for icmp_seq 3787 13:21:16.694166 64 bytes from 192.168.188.110: icmp_seq=3788 ttl=64 time=3.420 ms 13:21:16.805075 64 bytes from 192.168.188.110: icmp_seq=3789 ttl=64 time=4.709 ms and a tail -f /var/log/wifi.log Tue Dec 15 13:21:12.857 Driver Event: <airport[175]> _bsd_80211_event_callback: APPLE80211_M_ROAM_START (en0) Tue Dec 15 13:21:12.857 Info: <airport[175]> Roaming started on interface en0 Tue Dec 15 13:21:12.857 Info: <airport[175]> PRIORITY LOCK ADDED [client=airportd, type=4, interface=en0, priority=5] Tue Dec 15 13:21:12.859 Info: <airport[175]> -[CWXPCInterfaceContext __setAWDLOperatingMode:interface:error:]: attempting to set AWDL mode to 2 Tue Dec 15 13:21:12.859 Info: <airport[175]> SUSPEND AWDL for interface en0, timeout=10.0s, reason=Roam, token=8-- Snip / too long Tue Dec 15 13:21:16.648 <kernel> installGTK: IGTK installed Tue Dec 15 13:21:16.648 Info: <airport[175]> Roaming ended on interface en0 Tue Dec 15 13:21:16.648 Driver Event: <airport[175]> _bsd_80211_event_callback: RSN_HANDSHAKE_DONE (en0) Tue Dec 15 13:21:16.649 Info: <airport[175]> -[CWXPCInterfaceContext setRoamInProgress:reason:]_block_invoke: roam status metric data: CWAWDMetricRoamStatus: status:0 security: 2 profile:5 origin:{length = 3, bytes = 0x000000}(-49) target:{length = 3, bytes = 0x3ca62f}(-57) latency:3.791029s Tue Dec 15 13:21:16.649 Info: <airport[175]> -[CWAWDManager submitMetric:]: submitting metric id 0x90046 Tue Dec 15 13:21:16.649 Info: <airport[175]> RESUME AWDL for interface en0, reason=Roam token=8 Tue Dec 15 13:21:16.649 Info: <airport[175]> PRIORITY LOCK REMOVED [client=airportd, type=4, interface=en0, priority=5] Tue Dec 15 13:21:16.650 Info: <airport[175]> -[CWXPCInterfaceContext __setAWDLOperatingMode:interface:error:]: attempting to set AWDL mode to 0 Tue Dec 15 13:21:16.709 <kernel> postMessage::1412 APPLE80211_M_BSSID_CHANGED received Tue Dec 15 13:21:16.709 P2P: <airport[175]> _p2pSupEventCallback: APPLE80211_M_BSSID_CHANGED Tue Dec 15 13:21:16.709 Driver Event: <airport[175]> _bsd_80211_event_callback: BSSID_CHANGED (en0) Tue Dec 15 13:21:16.709 Info: <airport[175]> _bsd_80211_event_callback: Frequency Band updated <2> Tue Dec 15 13:21:16.710 Offload: <airport[175]> tcpKeepAliveActive: TCP keep-alive is active. Tue Dec 15 13:21:16.710 WoW: <airport[175]> LPAS not supported on en0, applying legacy WoW behavior Tue Dec 15 13:21:16.710 WoW: <airport[175]> WoW successfully ENABLED on en0 point to roaming, as the wifi cuts out between roaming start and end. Unfortunately I have not found a solution yet. If anyone can point me to disabling wifi-roaming, I would be grateful. I tried setting the joinMode to strongest (was unset before) with no success. /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport prefs JoinMode and disabling roaming, but that seems not to be supported any longer. sudo defaults write /Library/Preferences/com.apple.airport.opproam disabled -bool true I will test disabling WPA3 to see if this changes, but hope someone has a better idea.