Oh, to be a Cisco IPsec VPN user these days… Now I know that we should get with the program and move to AnyConnect, since Cisco is EOL-ing the venerable Cisco VPN Client in 2014, but we have a large installed base, and since Cisco stopped making IPsec clients for Mac and Linux back in the 4.x days, we have been using the integrated VPN client on Mac OS X and the “vpnc” client on Linux on those respective platforms. When we cut over from our old VPN3000 concentrators to ASA 5500 units a few years ago, all these IPsec clients continued to work, and all was well (and, importantly, the user base did not have to do or learn anything new to continue to be able to VPN.) Yes, we did also investigate AnyConnect when we cut over to the ASAs, but we found that Linux support was lacking, especially in the posture support we wanted to use, so the AnyConnect rollout was deferred.
The first bump in the road came with the advent of Windows 8. We have been successfully deploying the 64-bit Cisco VPN Client 5.0.07.0440 software to our Windows 7 64-bit, and now Windows 8 (which only comes in 64-bit) OS machines. However, we found an odd problem on the Windows 8 OS — when the Cisco VPN Client was connected, only the desktop (“classic”) applications had network connectivity, and not the new Modern (nee “Metro”) apps. When I first found this problem when using the Cisco VPN Client on my new Surface Pro tablet, I then tried two other regular laptops running Windows 8, and they too had the same problem. A support call to Microsoft on this issue got lost in the shuffle (too many internal transfers on their side, I guess) and I never pursued it, because all the desktop apps that we had to support were working fine over VPN. (It does leave me wondering how Microsoft has changed the Windows IP stack for the Modern apps, but that’s a black box to me since it’s a closed-source system.)
Then came the free upgrade to Windows 8.1, which not only comes with the return of the Start button, but also the shiny new Internet Explorer 11. Between the lure of getting a Windows 8 that actually is usable on a regular desktop machine, and the upgrade price (free!), I took the early plunge and upgraded my Windows 8 machines (the aforementioned Surface Pro, and a regular laptop.) I was hoping that the VPN connection issue with the Metro Modern apps would be fixed (sadly, no) but imagine my horror when the new IE11 desktop browser also had connectivity issues! This is pretty much a deal-killer for us, as we are switching over to using SaaS for some LOB apps. So, for now, we are officially not deploying or supporting either Windows 8, or 8.1, on our business machines (sorry, MSFT!) due to these VPN connection problems.
At least they let us buy Apple products as well here. We’ve always had a good experience with the Apple MacBook line (both Pro and Air) and more and more of our staff is electing to use an Apple notebook running Mac OS X. We have a variety of machines out there running OS X 10.7 (Lion) and 10.8 (Mountain Lion), and the built-in “Cisco IPsec” VPN Client has always worked well for us.
However, last week Apple did the free OS upgrade thing too (OS X 10.9 “Mavericks”) and like little kids running after candy (it is Halloween, after all…) I and a bunch of other co-workers jumped right on it, and upgraded our machines. All was well, until I got the first call about “my VPN session disconnects after 60 minutes”… Then the next day, another one. Upon testing it out and verifying the problem on my own MacBook, and then looking into the reason for this, I see the following entries in the OS X system log:
Oct 29 17:44:43 vpnp83.mycompany.com configd[19]: IPSec Controller: IKE FAILED. phase 6, assert 0 Oct 29 17:44:43 vpnp83.mycompany.com racoon[3725]: IKE Packet: transmit failed. (Information message). Oct 29 17:44:43 vpnp83.mycompany.com racoon[3725]: IKEv1 Information-Notice: transmit failed. (Delete IPSEC-SA).
(“Racoon” being the IPsec client codebase Apple incorporates into OS X via Darwin‘s use of FreeBSD sources, in this case originally from the KAME IPv6/IPsec network stack project.) So, great, now we have a problem on two platforms… Although it seems it’s not an across-the-board problem; on some underlying networks it does work, and stays connected, but on others (sadly, our corporate wireless network) it does not.
I guess it’s about time to look at AnyConnect again, which I’m sure works much better on these platforms… Oh, wait.
If anyone out there has any ideas or fixes to try, I’d love to hear from you in the comments below… Smug Cisco Guy was no help at all…



I am struggling with the same problems, but I am not having the timeout issues with 10.9 vpn that you are having. Do you have a `vpn-idel-timeout none` line in your group-policy attributes? It may default to 60.
There’s a version of the Atom Processor in some of the older Windows 8 tablets that didn’t support the Cisco VPN Client. We had to use the AnyConnect Client. Licensing can be an issue when using the AnyConnect client since it’s an SSL session and not an IPSec session.
I believe I have the answer for the Metro apps. To make the Metro apps “more” secure, metro apps operate in “AppContainers” Network traffic for these AppContainers do not send traffic through the local loopback and I wager that Cisco is intercepting traffic from there.
If you are handy with the registry there is a way to configure Metro apps to behave like traditional application; however, you have to configure it on a “per app” basis.
This link should answer questions in more detail, including how to make it work…
http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx