Cisco VPN AnyConnect

raghdasi
New Contributor III

Hello There,

I am wondering if there is anyone using Cisco VPN Any-connect 4.9 in macOS Big sur Beta? I installed it but it is giving me error right from start and I can't even launch it. Please see the attached screenshot for the error.
d1f6e03866dc49c18e4fab8c22ceacaa

Any help appreciated. Thanks.

1 ACCEPTED SOLUTION

takayuki
New Contributor III

Has anyone whitelisted the Cisco AnyConnonect 4.9.02028 System Extension (com.cisco.anyconnect.macos.acsockext) from JAMF Pro Configuration Profile successfully?

We attempted to whitelist the Team ID 'DE8Y96K9QP' but the following System Extension warning message is still prompted on macOS 11 Big Sur beta 6.

5db2e7fdb0524d87a8c096d2ff21f55f

View solution in original post

56 REPLIES 56

c_kay
New Contributor III

I had to reboot to get rid of those messages. Might have something todo with kernel
extension loading

raghdasi
New Contributor III

@c.kay thanks for the reply. I tried many time and restarted but the error still appearing. the Kernel extension was my first thought too. :)

taugust_ric
Contributor

Big Sur is only supported on 4.9.02028, released 9/1/20, and it should be using the new System Extensions, rather than Kernel Extensions in that version.

I would do a full uninstall and then a re-install to make sure there aren't any legacy Cisco AnyConnect files anywhere that could be causing the errors...

takayuki
New Contributor III

Has anyone whitelisted the Cisco AnyConnonect 4.9.02028 System Extension (com.cisco.anyconnect.macos.acsockext) from JAMF Pro Configuration Profile successfully?

We attempted to whitelist the Team ID 'DE8Y96K9QP' but the following System Extension warning message is still prompted on macOS 11 Big Sur beta 6.

5db2e7fdb0524d87a8c096d2ff21f55f

MatG
Contributor III

We are seeing very high CPU load with the Big Sur version of Cisco AnyConnect, look for vpnagentd in Activity Monitor. Even with the app closed and no VPN conenction its sitting at 70%

raghdasi
New Contributor III

@takayuki Thanks. it worked perfectly fine. I created system extension with the values you suggested and deployed it to my test computer and it is working fine.

ImAMacGuy
Valued Contributor II

I didn't have that updated kext approval (thanks @takayuki), but I'm seeing 4.9 cut off all traffic after about 15 seconds and then rebooting my device with a KP when disconnecting.

sukharev
New Contributor

Where can I download Cisco AnyConnonect 4.9.02028? there is no access to the offsite. (

kgam
Contributor

@sukharev I believe you'll need a registered login to the customer downloads section of Cisco's web site.

iJake
Valued Contributor

4.9.03047 was released today FYI. No longer has an issue where the KEXT would get loaded on systems that don’t need it.

If you can’t access the downloads site yourself you’ll need to speak with whomever at your company has access. It is not publicly accessible.

1729patrick
New Contributor

@iJake can you share the .pkg to 4.9.03047 version for us, please?

iJake
Valued Contributor

@1729patrick You can send an email to ask-anyconnect@cisco.com to see if the beta is still open otherwise you'll need to get it from someone at your company that has access to the Cisco downloads portal. I cannot share the file.

engh
New Contributor III

@raghdasi @takayuki I see this was "Solved" but I don't actually see any solution here and the post that was marked solved is just a question if anyone was able to get it to work.

We currently have 4.9.01095 deployed and I have run into the same issue as the OP when testing on BS. As suggested, this version may not be fully supported but it does work on systems where AnyConnect was installed prior to updating to BS. New installs, however, are coming up with the error about being unable to create the DNS plugin.

To add to this, we had an instance of someone who was running on 10.15.5 run into the same problem. If anyone has managed to fix this, I would really love some insight into how you got around this.

Thanks!

-Dan

takayuki
New Contributor III

Hi @engh

The solution is documented by Cisco here. See the following section:

3.2 Extension Approval using MDM

The 'WebContentFilter' payload may not be supported yet by your JAMF Pro version. Contact JAMF Support for confirmation.

jwaltonen
New Contributor III

We are running Jamf Pro 10.25.0. I uploaded and deployed the sample profile from the end of the cisco document but the system extension does not get loaded in big sur beta 11.0.1, and as one would expect the user still gets prompts to approve the system extension. So whats the deal ? Has anyone got the Cisco Anyconnect system extension profile working in Big Sur beta ?

kgam
Contributor

I haven't tried the sample profile but got the system extension approved using the following profile:
a3f09ef237ed49f4a4aca9fd804b33e0

jwaltonen
New Contributor III

@kgam Curious.
Thats the first thing I tried. Along with a couple other variants of the built in System Extensions payload. None of it worked for me.
Thats all you did ? Nothing with the WebContentFilter payload referenced in the Cisco doc ?
systemextensionsctl list, reports your cisco extension is loaded ?

kgam
Contributor

At first I had an additional entry which only allowed the team identifier but read somewhere that it may not be necessary so now I only have the one entry to allow the "com.cisco.anyconnect.macos.acsockext" extension which seems to work as I'm no longer prompted to allow the extension and 'systemextensionsctl list' shows the extension as enabled and active:

enabled active teamID bundleID (version) name [state]
DE8Y96K9QP com.cisco.anyconnect.macos.acsockext (4.9.03047/4.9.03047) Cisco AnyConnect Socket Filter Extension [activated enabled]

But yes I also had to create a configuration profile for the WebContentFilter payload. I used ProfileCreator and the .mobileconfig file gets created correctly but I'm having some problems signing the profile.

I used this guide: https://www.macblog.org/post/signing-configuration-profiles/

The finished configuration profile works but it's signed using a wong certificate so I'll have to look into that.

wolftech
New Contributor III

OK, so I can get the System Extension working by duplicating the image above. But I've still not found a solution for the WebContentFilter requirement....

Has anyone a workaround since this payload isn't supported by JAMF?

wolftech
New Contributor III

@kgam, can you share the config profile that you're using?

roger_crawford
New Contributor II

Seems like a lot of people going to a lot of workarounds for lack of just using the correct software. AnyConnect (and Umbrella) are fully supported from 4.9.03047 and above. I'll add that there's a CVE where every version other than 4.9.03047 has a major vulnerability that was released last week, so y'all are working hard to get a security hole installed. https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-security-advisories-list.html

kgam
Contributor

@wolftech I used the sample MDM Configuration Profile found at the end of this PDF file:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

Saved it as 'AnyConnect.mobileconfig' and signed it using the procedure outlined here:
https://www.macblog.org/post/signing-configuration-profiles/

Go to the section: "Signing Profiles for Trust Only by Jamf-enrolled Clients"

Due to a possible bug in Catalina I ended up using the following command to sign the certificate:

/usr/bin/security cms -S -Z 9CCE397F5491E9C6D70D305D0922687AAC2EA379 -i "AnyConnect.mobileconfig" -o "AnyConnect-signed.mobileconfig"

where the "-Z" value is "Subject Key Identifier" from the self-signed certificate in Keychain.app without <spaces> with the certificate set to "Use System Defaults" under "Trust".

You can also use "openssl x509 -in <.pem file> -noout -text" on the downloaded .pem file from Jamf Pro's 'Create Certificate from CSR'

After the .mobileconfig file had been signed I could upload it to Jamf Pro and scope it.

a_feliciano
New Contributor II

I was able to get it working following the documentation provided by Cisco here.

1) I made sure that the System Extension payload had both the bundleID and the type.

d59e1a082bb34783b9b3077568b313c0

2) Since Jamf doesn't have the WebContentFilter payload yet, I was able to strip away the Kernel and System Extension attributes from the Sample Configuration Profile (#5 in the Cisco documentation). Leaving just the dictionary that shows the settings for the content filter and upload that as a Custom Setting within the same config profile. I gave it the same name as the PayloadType attribute inside the plist.

All looks good for me. Hope that helps.

holger_netterby
New Contributor III

@a.feliciano

Thank you for your post here!

I have done the same as you describe and I get the network extension to work without a problem but I do have to restart before the WebContentFilter payload kicks in and the dialog "Cisco AnyConnect Socket Filter Would Like to Filter Network Content" don't show anymore and the additional items are visible in System Preferences -> Network

I´m not loading Kernel Extension (verified with "kextstat") and the "systemextensionsctl list" gives the correct answer for System Extensions from Cisco being [activated enabled]

Do you see the same behaviour?

jwaltonen
New Contributor III

The sample profile at the end of the cisco doc starting working when I got the 4.9.04043 installer. FYI

cingalls
New Contributor II

@jwaltonen How did you download the mobileconfig from the Cisco doc?
Just curious on the easiest method to get it uploaded into Jamf

dmorgan_ISC
New Contributor II

@a.feliciano It is not working for me with just the system extensions (in Catalina), so i assume you need the webcontenfilter part also. I am not sure what to strip out of the mobileconfig - can you please expand?
@jwalton I am also trying to use the mobileconfig from the doc, but using the whole mobileconfig fails to save for some unknown reason:

[HTMLResponse ] - An unhandled exception occurred during a save operation
java.lang.NullPointerException

any ideas anyone?

kgam
Contributor

@cingalls See my post earlier from 11/14/2020. You can copy/paste the content of the sample mobile config into a text file and call it e.g. "AnyConnect.mobileconfig". After you have signed it and uploaded it to Jamf this will approve both kernel extensions, system extensions and the webcontentfilter. But since Jamf Pro is being updated to 10.26 soon (during the weekend for us) and this version will support the webcontentfilter you could wait for this and then just use the previous mentioned configuration profile to approve the system extensions.

cingalls
New Contributor II

@kgam Thanks. Using your steps & signing the profile allowed me to upload to Jamf Pro w/o seeing exception errors or signing errors, but the content itself is still blank for some reason..

Not a big deal, though, since I just used Jamf Pro's GUI to create the profile & copy the entries manually instead of uploading. That handled the kernel & system extensions successfully. I'll update to 10.26 to handle the webcontentfilter tomorrow.
My other big problem was the order of install. I had to install this config profile before upgrading to AnyConnect 4.9.04043. Trying to push the profile after 4.9.04043 was already installed would not remove the System Prefs prompt for enabling the system extension manually w/ admin rights
b206f46aecac429f9904dab7510caddb

kgam
Contributor

Yes, my profile is empty as well. This is to be expected. I believe it's because the profile is signed in order to protect it from Jamf removing the parts it doesn't support by default.

tcandela
Valued Contributor II

Hi there - does anyone have a completed working Cisco AnyConnect system extension Configuration Profile created for macOS Big Sur? I'm sure this can be done with 1 config profile to apply to a computer.

I'm trying to create one using the AnyConnect_macOS_BigSur_Advisory.pdf that they provide but i'm not sure i'm setting it up correctly.

For macOS prior to Big Sur i have the approved kernel extension with team id that has worked with no issues 10.14/10.15, now with System Extensions for Big Sur i'm prepping for Cisco AnyConnect 4.9.04xxx

I'v included some images of my preliminary System Extenstion settings along with the Cisco information that is in the pdf.

I added the Web Content filter section to the Config Profiiles system configuration settings but I am not sure where to put that data the the Cisco pdf displays.
64d329b366f1488aba1db375192e60c5

bbeb99a64ff14e36b628e43a642c147a

3a48ad69d3b44b93a97d6f45139b684e

kgam
Contributor

@tcandela In order to have both system extensions and the WebContentFilter in the same profile you can put the entire content of the example profile from the Cisco advisory into a signed .mobileconfig file and upload it to Jamf Pro. I did this prior to Jamf Pro v. 10.26 and it worked but since 10.26 now supports the WebContentFilter configuration profile I have switched to this in order to avoid signing the profile.

I'm using the following two configuration profiles:
9108f59007c14e1582082b262686c573

dec9a7fda8a8494ca676a8aea2f25924

tcandela
Valued Contributor II

@kgam - just curious, why can't you put the content filter and the system extension payloads in the same config profile?

you didn't include the 'Allow System Extension Types' ---> 'Network Extension' in your systems extensions payload settings?

is that all 4 keys you need for the Custom Data section of the web content filter?

also, how do you apply your config profiles? to each computer immediately or self service?

thanks

kgam
Contributor

Sorry, I misunderstood your original post. I have one configuration profile for each but there should be nothing wrong as far as I can see with putting them in the same profile. We only use the VPN part of Cisco AnyConnect so it has not been necessary to include the Network Extension payload. You may need to add it if you use more of the modules in AnyConnect.

Yes, those four custom keys has been enough in our case but again we only use VPN.

I'm using a "macOS 11" smart group to automatically deploy the profiles when a Mac is upgraded to Big Sur.

tcandela
Valued Contributor II

@kgam thanks, we only use the VPN part also, none of those other modules get installed. I'll try it all in one config profile.

jgarland
New Contributor III

Here is a link to the supplemental for Big Sur configuration from Cisco Anyconnect
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

MacJunior
Contributor III

@tcandela Did you managed to put it all in one profile? when I downloaded the sample config profile from Cisco, I noticed the key values are not added so it doesn't work for me yet!

Any advice?

MacJunior
Contributor III

I'm still having issues with deploying that sample profile on M1 Mac running BIg Sur 11.1 ! any thoughts ?

MacJunior
Contributor III

it worked!