• Podcasts:
  • Weekly
  • Priority Queue
  • Network Break
  • Datanauts
  • Community Show

Packet Pushers

Where Too Much Networking Would Be Barely Enough

  • Home
  • Forums
  • Toolbox
    • List of Merchant Silicon Manufacturers and Chips
    • Open Source Networking Projects
    • Virtual Toolbox – Network Operating Systems
    • Free Books On Networking – Virtual Toolbox
    • List of SD-WAN Vendors
    • Research & Data
    • Useful Sites
  • Live!
  • FAQ
  • Contact
    • Main Contact Page
    • Comment/Forum Moderation Policy
    • Vendor Relations & Advertising
    • Follow
    • Support The Show
  • Subscribe
  • Member Login
You are here: Home / Blogs / Cisco IPsec VPN breakage on Windows 8[.1] and OS X 10.9

Cisco IPsec VPN breakage on Windows 8[.1] and OS X 10.9

October 31, 2013 by Will Dennis

Oh, to be a Cisco IPsec VPN user these days… Now I know that we should get with the program and move to AnyConnect, since Cisco is EOL-ing the venerable Cisco VPN Client in 2014, but we have a large installed base, and since Cisco stopped making IPsec clients for Mac and Linux back in the 4.x days, we have been using the integrated VPN client on Mac OS X and the “vpnc” client on Linux on those respective platforms. When we cut over from our old VPN3000 concentrators to ASA 5500 units a few years ago, all these IPsec clients continued to work, and all was well (and, importantly, the user base did not have to do or learn anything new to continue to be able to VPN.)  Yes, we did also investigate AnyConnect when we cut over to the ASAs, but we found that Linux support was lacking, especially in the posture support we wanted to use, so the AnyConnect rollout was deferred.

The first bump in the road came with the advent of Windows 8. We have been successfully deploying the 64-bit Cisco VPN Client 5.0.07.0440 software to our Windows 7 64-bit, and now Windows 8 (which only comes in 64-bit) OS machines. However, we found an odd problem on the Windows 8 OS — when the Cisco VPN Client was connected, only the desktop (“classic”) applications had network connectivity, and not the new Modern (nee “Metro”) apps. When I first found this problem when using the Cisco VPN Client on my new Surface Pro tablet, I then tried two other regular laptops running Windows 8, and they too had the same problem. A support call to Microsoft on this issue got lost in the shuffle (too many internal transfers on their side, I guess) and I never pursued it, because all the desktop apps that we had to support were working fine over VPN. (It does leave me wondering how Microsoft has changed the Windows IP stack for the Modern apps, but that’s a black box to me since it’s a closed-source system.)

Then came the free upgrade to Windows 8.1, which not only comes with the return of the Start button, but also the shiny new Internet Explorer 11. Between the lure of getting a Windows 8 that actually is usable on a regular desktop machine, and the upgrade price (free!), I took the early plunge and upgraded my Windows 8 machines (the aforementioned Surface Pro, and a regular laptop.) I was hoping that the VPN connection issue with the Metro Modern apps would be fixed (sadly, no) but imagine my horror when the new IE11 desktop browser also had connectivity issues! This is pretty much a deal-killer for us, as we are switching over to using SaaS for some LOB apps. So, for now, we are officially not deploying or supporting either Windows 8, or 8.1, on our business machines (sorry, MSFT!) due to these VPN connection problems.

At least they let us buy Apple products as well here. We’ve always had a good experience with the Apple MacBook line (both Pro and Air) and more and more of our staff is electing to use an Apple notebook running Mac OS X. We have a variety of machines out there running OS X 10.7 (Lion) and 10.8 (Mountain Lion), and the built-in “Cisco IPsec” VPN Client has always worked well for us.

Screenshot of built-in Cisco IPsec client

However, last week Apple did the free OS upgrade thing too (OS X 10.9 “Mavericks”) and like little kids running after candy (it is Halloween, after all…) I and a bunch of other co-workers jumped right on it, and upgraded our machines. All was well, until I got the first call about “my VPN session disconnects after 60 minutes”… Then the next day, another one. Upon testing it out and verifying the problem on my own MacBook, and then looking into the reason for this, I see the following entries in the OS X system log:

Oct 29 17:44:43 vpnp83.mycompany.com configd[19]: IPSec Controller: IKE FAILED. phase 6, assert 0
Oct 29 17:44:43 vpnp83.mycompany.com racoon[3725]: IKE Packet: transmit failed. (Information message).
Oct 29 17:44:43 vpnp83.mycompany.com racoon[3725]: IKEv1 Information-Notice: transmit failed. (Delete IPSEC-SA).

(“Racoon” being the IPsec client codebase Apple incorporates into OS X via Darwin‘s use of FreeBSD sources, in this case originally from the KAME IPv6/IPsec network stack project.) So, great, now we have a problem on two platforms… Although it seems it’s not an across-the-board problem; on some underlying networks it does work, and stays connected, but on others (sadly, our corporate wireless network) it does not.

I guess it’s about time to look at AnyConnect again, which I’m sure works much better on these platforms… Oh, wait.

If anyone out there has any ideas or fixes to try, I’d love to hear from you in the comments below… Smug Cisco Guy was no help at all…

smug-cisco-guy-holding-hand

« Securing a DMVPN spoke – Part 2
Remote LFA »

About Will Dennis

Comments

  1. inChargeOfIT says

    November 9, 2013 at 12:58 AM

    I am struggling with the same problems, but I am not having the timeout issues with 10.9 vpn that you are having. Do you have a `vpn-idel-timeout none` line in your group-policy attributes? It may default to 60.

    Reply
  2. Stas Wright says

    November 18, 2013 at 2:04 AM

    There’s a version of the Atom Processor in some of the older Windows 8 tablets that didn’t support the Cisco VPN Client. We had to use the AnyConnect Client. Licensing can be an issue when using the AnyConnect client since it’s an SSL session and not an IPSec session.

    Reply
  3. Charles Beyer says

    January 14, 2014 at 5:08 PM

    I believe I have the answer for the Metro apps. To make the Metro apps “more” secure, metro apps operate in “AppContainers” Network traffic for these AppContainers do not send traffic through the local loopback and I wager that Cisco is intercepting traffic from there.

    If you are handy with the registry there is a way to configure Metro apps to behave like traditional application; however, you have to configure it on a “per app” basis.

    This link should answer questions in more detail, including how to make it work…

    http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • 
  • 
  • 
  • 
  • 
  • 


Latest Podcasts

RSS The Weekly Show

  • Show 309: cPacket & The Next Generation Of Performance Monitoring (Sponsored) October 7, 2016

RSS Network Break

  • Network Break 106: Security Vs. Business; AI On Wall Street October 3, 2016

RSS Datanauts

  • Datanauts 054: Containers Won’t Fix Your Broken Culture October 5, 2016

RSS Priority Queue

  • PQ Show 94: The State Of Open Compute Networking October 6, 2016

RSS The Community Show

  • Infotrek Episode 7: Windows Server 2016 July 19, 2016

Human Infrastructure Magazine

* indicates required
A bi-weekly newsletter about the human side of life in IT.

Weekly Compendium List

* indicates required
Blogs, news, and podcasts from the Packet Pushers community delivered weekly.

Supporters' Newsletter

* indicates required
Infrequent update with Packet Pushers news and events.
Virtual Toolbox - Curated list of Internet Resources for the Infrastructure Engineer

Recent Comments

  • Dan on RadiUID: Palo Alto User-ID and RADIUS
  • John W Kerns on RadiUID: Palo Alto User-ID and RADIUS
  • John W Kerns on RadiUID: Palo Alto User-ID and RADIUS
  • Dan on RadiUID: Palo Alto User-ID and RADIUS
  • Jeff Tantsura on Network Break 106: Security Vs. Business; AI On Wall Street
  • Gustavo Ramos on DDOS Mitigation Costs, Fails. Now What ?

HPE To Spin Off Software Assets In $8.6 Billion Transaction

September 7, 2016 By Drew Conry-Murray Leave a Comment

VMware Cross-Cloud: Your One Interface To Public Cloud?

September 7, 2016 By Ethan Banks Leave a Comment

Huawei Eyes SD-WAN Market With CloudVPN, But Needs A Strong Story

September 2, 2016 By Drew Conry-Murray Leave a Comment

Huawei Announces One SDN Controller For Campus, Data Center, WAN & IoT

September 1, 2016 By Drew Conry-Murray Leave a Comment

Citrix Courts Developers With Free Load Balancer

August 24, 2016 By Drew Conry-Murray Leave a Comment

Netronome Announces Network Server Products For Microsegmentation, Security

August 18, 2016 By Drew Conry-Murray Leave a Comment

Startup Radar: Preempt’s Firewalls Target User Behavior

August 16, 2016 By Drew Conry-Murray 2 Comments

Security Startup Adds Orchestration To SOC Platform

July 28, 2016 By Drew Conry-Murray Leave a Comment

RCN Business, Versa Networks Team Up On NFV Security Offering

July 26, 2016 By Drew Conry-Murray Leave a Comment

Savvius Updates Monitoring And Packet Capture Appliance

July 22, 2016 By Drew Conry-Murray Leave a Comment

Why Did Dell & HPE Sell Their Software Businesses ?

September 15, 2016 By Greg Ferro

New Technology’s Real Virtuous Cycle

September 13, 2016 By Ethan Banks

Illumio Network Security For Applications Spread All Over

September 12, 2016 By Ethan Banks

Cisco Nexus OS Licensing Is Out of Control

September 12, 2016 By Greg Ferro

Comparing Cloud Costs

September 10, 2016 By John Merline

Apple’s Impeccable Logic For Killing The 3.5mm Jack

September 9, 2016 By Anton Smith

Arista’s Big Buffer B.S.

September 9, 2016 By Carlos Cardenas

Meet Teridion, Your Internet Best Path Provider

September 8, 2016 By Ethan Banks

Huawei Targets Industry Clouds, IoT & Open Source To Drive Its Business

September 7, 2016 By Drew Conry-Murray

An SDN Bedtime Story

September 7, 2016 By Greg Ferro

Visit the Forums

Search Forums

All content ©2015 Packet Pushers Interactive, LLC. All rights reserved.