VPN AnyConnect Mac Client Problem

Unanswered Question
Jul 21st, 2010
User Badges:

I'm having an issue with the Mac version of the VPN AnyConnect Client.


The Client I'm using is version 2.4.1012, and my MacOSX version is 10.6.4.


The issue is that after connecting to the VPN server, everything will work fine for 5 minutes or so, then the connection is lost for about 2 minutes, eventually reconnects, stays connected for about 5 minutes, over and over again.


When the connection is lost, this shows up in the Mac console:



7/21/10 10:16:05 AM vpnagent[548] Initiating rekey for SSL connection.

7/21/10 10:16:05 AM vpnagent[548] Initiating a reconnect for rekey with a new SSL connection.

7/21/10 10:16:05 AM vpnagent[548] Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 390 Invoked Function: getProfilePath Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE

7/21/10 10:16:05 AM vpnagent[548] Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE

7/21/10 10:16:05 AM vpnagent[548] Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 937 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE

7/21/10 10:16:05 AM vpnagent[548] Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 244 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE

7/21/10 10:16:05 AM vpnagent[548] The Secondary SSL connection to the secure gateway is being established.

7/21/10 10:16:05 AM vpnagent[548] Function: postSocketConnectProcessing File: SslTunnelTransport.cpp Line: 1360 Opened SSL socket from 192.168.1.101 to 208.254.144.81

7/21/10 10:16:05 AM vpnagent[548] Function: VerifyServerCertificate File: Certificates/MacCertStore.cpp Line: 420 Invoked Function: CMacCertificate::Verify Return Code: -31326190 (0xFE220012) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED_ASKUSER


It looks like an SSL rekey is happening after 5 minutes, but the connection then gets hosed and eventually is completely re-built.  (Actually, I have a workmate with the exact same issue).


Is there any way to disable the rekey operation on the client side, or does anyone else have a hint about how I can fix this?  It's VERY annoying!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ARMANDO ALVARADO Mon, 07/26/2010 - 05:49
User Badges:

I had the exact problem I had to upgrade the client to the new version which is 2.5.0217. This one worked and no more disconnects. But now I cannot get outside to internet. Windows PC's work fine but I cannot get the mac book to bring in a web site. Trying to figure the issue unless you seen this. Let me know.

Todd Pula Mon, 07/26/2010 - 09:00
User Badges:
  • Silver, 250 points or more

Are Windows clients able to connect to the same connection profile without issue?  The default rekey lifetime is 30 minutes so if you are seeing it happen every 5 minutes, you may want to double check the "svc rekey time" configuration under the respective group policy.  I did run into a similar issue with another customer which wound up being related to DNS.  In that case, the CN and subject names of the certificate were configured to use FQDN which was only resolveable via public DNS servers.  AnyConnect, however, was configured to send all DNS requests over the SSL tunnel.  The resolution requests were being sent to a DNS server that could not resolve so the rekey process hung.  Once the active tunnel was torn down, the FQDN in the certification could now be resolved by the DNS server on the physical interface allowing the new connection to establish.  Configuring Split DNS resolved the issue for this particular customer.  You may look into your configuration to see if this applies.

Actions

This Discussion

Related Content