Help

MacOS vs Cisco Anyconnect "Always On"

BenIdrissi
New Contributor II

Posted on ‎04-09-2019 07:32 AM

Hi,

We implemented Cisco Any Connect "Always on" on all Windows Clients and Macs. I noticed that we have couple of users that are not on Mojave yet, so I want to upgrade their Macs ASAP, but download/installing, the Macs needs to restart, but Cisco Anyconnect is blocking for it, see picture.. Have you seen this before?

br
Benc032050884c048c192f58d40e7123ee7

0 Kudos
Reply
5 REPLIES 5

dpv_bnc
New Contributor II

Posted on ‎08-08-2019 05:30 AM

Hello BenIdrissi,

I don't think I have a solution for your issue, though my first thought would be to disconnect network interfaces...

I was actually wondering how you managed to put Always ON in place! I really do need a hand...

Cheers

0 Kudos
Reply

mcrispin
Contributor II

Posted on ‎08-08-2019 06:49 AM

"Always On" is bit of nightmare, particularly for people behind captive portals (like hotels and the lot). The error might be happening because either User-Accepted Kernel Extensions are not including Cisco -- OR... there is a nag in Cisco if Mojave to warn that the "ciscod" process is 32 bit, which can be safely ignored in Mojave. Hopefully cisco updates that binary in time for Catalina.

You might need to set Anyconnect to "Fail-Open" -- but your security folks will probably not like that.

0 Kudos
Reply

merps
Contributor III

Posted on ‎08-08-2019 07:52 AM

You could try killing AnyConnect (and its processes) with a script that runs in your upgrade policy.

We have a connection monitor script that restarts everything if the network is connected but the system can't reach internal DNS.

Since the Secure Mobility Client fires back up so quickly, you may need to put the checkForProcess function in a loop, but here's a chunk of our script showing the process kill logic.

#!/bin/bash
logfile="/var/log/AOVPN_Monitor.log

log () {
        echo $1
        echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile
}

checkForProcess(){

    # Declare an array of string with type
    declare -a StringArray=("vpndownloader" "vpn" "vpnagentd" "Cisco AnyConnect Secure Mobility Client")
    IFS=""
    for val in "${StringArray[@]}"; do
        log $val
        processname=$(ps aux | grep $val | grep root)
        if [ -z "$processname" ]
        then
            echo "$processname is empty. $val not present."
            log "$processname is empty. $val not present.  value: $processname"
        else
            echo "$processname is NOT empty. $val found"
            log "$processname $val found. value: $processname"
            if [[ "$val" == *.sh* ]]; then
                log "Found VPN monitor script. Moving to next process."
            else
                log "$processname $val going down. killall -kill $processname"
                killall -kill $val
            fi
        fi
        reset=$((reset+1))
    done

}

checkForProcess
0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎08-08-2019 08:43 AM

It's been a while now since I used it, but if I recall correctly, there is a LaunchAgent, or perhaps a few that get installed that manage the Always On part of Cisco Anyconnect. I would dig around inside /Library/LaunchAgents/ for Cisco LaunchAgents and see. I believe one of them keeps the process running all the time, or more accurately, fires it up immediately after it's shut down, when those agents are active.

if I'm right, you'll need to script something to disable those LaunchAgents. Since they are "agents" and not "daemons" it means they run as the current user and must be disabled as the user, not as root.

0 Kudos
Reply

SVC-SBDJamfAdmi
New Contributor II

Posted on ‎08-09-2019 11:34 AM

Hey, BenIdrissi

I also have to get Automagical "Always On" VPN enabled on my Macs too. Can you provide an overview how you accomplished this? Thx

0 Kudos
Reply