Cisco AnyConnect 3.0.2 and Mac OS X 10.7

Answered Question
Jul 6th, 2011

I'm having trouble getting this to work, after my upgrade to Mac OS X Lion the Anyconnect client can no longer login. Reinstalling didn't work for me. What are other experiencing?

Correct Answer by slawford about 5 years 6 months ago

Hi All,

Thanks for your private messages. I had noticed the Subject Alternate name pattern in the vast majority of problem cases, which I forwarded to the developers.

Please note that version 3.0.3054 has just been posted to which contains the fix for CSCtr64798.

The updated client can be found here:



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Herbert Baerten Mon, 07/11/2011 - 01:46

The current version of Anyconnect is not supported on Lion, sorry. Personally, I have no idea when this can be expected - you may want to check with your CAM.



Roman Rodichev Wed, 07/20/2011 - 18:08

This is beyond ridiculous guys Are you telling me noone at Cisco bothered to get such an essential software to work with a 10.7 which you would expect EVERYONE would download and install first day after it came out, which is today?

Any(except Lion)Connect?

Steven Glogger Thu, 07/21/2011 - 06:29

for lion I got via twitter:

Cisco AnyConnect (@AnyConnect)

20.07.11 17:52

@mrmouse79 I am not sure what your issue is based on the description, but official support is due out in 3.0.3 (targeted for this week).

Roman Rodichev Mon, 07/25/2011 - 11:31

3.0.3050 was released on Friday with release notes claiming it supports Lion 10.7

I've tested it several times. No, it doesn't work. Same behavior. Did anyone bother to test it before releasing it?

CoreyDotCom Tue, 07/26/2011 - 12:04

I too am now using 3.0.3050 but I'm still unsuccesful at connecting from OSX Lion. 

"AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again."

..and I cannot use the built-in OSX client because we are not given access to our shared secret or group name.

Can someone from Cisco please help??

jdsuhr Wed, 07/27/2011 - 07:03

Same here - 3.0.3050 hasn't fixed the issue in Lion. I get the same error.

Roman Rodichev Wed, 07/27/2011 - 07:27

Got in touch with TAC engineer. He asked to send him "/var/log/system.log" which shows anyconnect connection process. I retested it with three customers. Two of them don't work, and one actually works. The new Windows Anyconnect works on all three. I sent TAC all three tests. One major difference is that the good one uses premium ssl vpn licenses, and the two bad ones use anyconnect essentials. I'll let you know what I hear.

Roman Rodichev Tue, 07/26/2011 - 17:46

I've had a case opened since Monday 1PM. Had engineer ask some question around 6PM and nothing today. I'm requeueing it.

ronbuchalski Wed, 07/27/2011 - 09:25

Can you be more specific regarding the problem?  And when the problem started?

I was having trouble with AnyConnect that began about a week before Lion was released.  I was running with Snow Leopard and AnyConnect Mobile Security Client 3.0.2052.  I started to get 'Certificate Validation Failure' messages.  I ended up setting the ASA certificate to be ALWAYS TRUSTED, as it is a self-generated certificate from the ASA.  The only 'problem/change' from previous operation is that every time I connect via VPN I need to enter my keychain credentials to allow the AnyConnect app to access the keychain.  Even when I chose to ALWAYS TRUST the application, it continues to prompt for the keychain password.

The same ASA client (3.0.2052) is now working with Lion.  I have the 3.0.3050 client downloaded but have not installed it yet.

By the way, there is an issue with 10.7 and Java, where 10.7 does not come with a Java runtime.  See:


KAJ J. NIEMI Wed, 07/27/2011 - 10:22

We too have a self cooked certificate although it is part of a CA chain. The funny thing is authentication works fine but only afterwards are there SSL related errors - after successful authentication when profiles and updates are being attempted to download. We fixed it as follows as one can override the system certificate store.. it's just really obscurely documented.

1. mkdir -p ~/.cisco/certificates/ca

2. cd ~/.cisco/certificates/ca

3. put the public part of the root CA in that directory. The filename can be anything as long as it ends .pem. Obviously the format has to be PEM.

4. AnyConnect 3.0.3050 works now.


ronbuchalski Wed, 07/27/2011 - 12:03

Thank you, Kajtzu, I'll check it out.  Can you provide a pointer to where this is documented?


Roman Rodichev Thu, 07/28/2011 - 20:15

This solution worked. Thank you!

I presume this requirements will be removed in the next version.

KAJ J. NIEMI Thu, 07/28/2011 - 21:21

I wouldn't presume anything .... I'd open a ticket with TAC and insist on at least an EE/DE looking at it.

slawford Fri, 07/29/2011 - 03:17

Hi All,

I am from the TAC and have been looking into a few of these issues.

For those of you that are seeing certificate related errors in /var/log/system.log, could you please send me a private message with the address of your headend, or let me know if you have one or multiple values set under the "Subject Alternate Name" field on your certificate.

I am trying to rule out a pattern I have noticed in a number of cases that I am raising with our development team, and want to make sure that these issues are addressed under



CHARLES FRANCIS Mon, 08/01/2011 - 06:24

Has anyone had any further luck with this? 

We are using a Verisign signed cert and this issue is only with our Lion clients.  We haven't been able to get the prompt to install the client from the webpage using Safari, Firefox or Chrome even though Java was installed/

sandervanloosbroek Mon, 08/01/2011 - 06:30

If you email your headend address to Steve (see the post above yours in this thread) he will confirm to you if your certificate is affected and if 3.0.3 will work for you. They are aware of an issue with some certificates and are working on it.

Correct Answer
slawford Thu, 08/04/2011 - 18:50

Hi All,

Thanks for your private messages. I had noticed the Subject Alternate name pattern in the vast majority of problem cases, which I forwarded to the developers.

Please note that version 3.0.3054 has just been posted to which contains the fix for CSCtr64798.

The updated client can be found here:



mtdotfuji Fri, 08/05/2011 - 17:47

3054 fixed my issues connecting as well. But unfortunately once connected my Macbook Air (2011) now crashes sporadically. Anyone else?

kmccourt Thu, 02/09/2012 - 22:10

There have been several Anyconnect releases with bug fixes since 3.0.3054 and the current version is 3.0.5080. Have you tried any of these?

ronbuchalski Fri, 02/10/2012 - 11:39

We discovered that our issue was not with the AnyConnect client, but in fact was with ASA software 8.4.(2), which contained a bug which broke AnyConnect connectivity from Mac.  Not sure if it was isolated to 10.7 or not.

The ddts for the ASA bug is CSCts80367.  It was resolved in ASA software interim build 8.4.(2.18), and is now available in release 8.4.(3).

We loaded 8.4.(3) onto the ASA, tried to VPN from a Mac using AnyConnect, and it worked!


Dan Schauss Mon, 07/29/2013 - 12:28

So was the fix applied only to 8.4 code? 

We're running 8.2(5)44 on a ASA 5520 and are having no luck with loading the AnyConnect client (anyconnect-macosx-i386-3.1.00495-k9.pkg) on a MAC os X 10.8.  We tried saving the file and loading it manually and then tried the auto config when JAVA was loaded.  Neither approach worked.  We still get the same 'file damaged error' message.  ??


Karsten Iwen Mon, 07/29/2013 - 23:20

You have to *disable* Gatekeeper on your Mac. Then you can install AnyConnect (I had the same Problem with ASDM) and enable Gatekeeper again. Now it will work as usual.

Sent from Cisco Technical Support iPad App

terrancewbennett Tue, 07/30/2013 - 07:35

Hope this helps steps to install the VPN client.

  1. Open up your System Preferences (hit Command+Space, type ‘System Preferences’ and then Enter)

  2. Click ‘Security & Privacy’

  3. Click the lock icon in the lower left, and enter your password

  4. Under ‘Allow applications downloaded from:’, select ‘Anywhere’, and from the popup, click ‘Allow From Anywhere’.

  5. Now install the VPN client.

  6. After you are done, under ‘Allow applications downloaded from:’ select ‘Mac App Store and identified developers’

  7. Close your ‘Security & Privacy’ settings window.


This Discussion

Related Content