NHump99

Q: 10.11.4 update broke native Cisco IPSec VPN

Every mac in my company that upgraded to 10.11.4 is now suffering the same issue with lack of VPN capability:

 

"The VPN server did not respond. Verify the server address and try reconnecting."

 

nslookup shows the headend is resolvable by the machine but it will not respond to the vpn request.  Everything worked fine yesterday, the only change in the environment was the update from last night.

 

In searching the dev forum I see there was a bug specifically around this issue that had been "resolved".  That may not be the complete case.

MacBook Pro with Retina display, OS X El Capitan (10.11.4)

Posted on Mar 22, 2016 2:47 PM

Close

Q: 10.11.4 update broke native Cisco IPSec VPN

  • All replies
  • Helpful answers

  • by Mperez3100,

    Mperez3100 Mperez3100 Mar 22, 2016 9:32 PM in response to NHump99
    Level 1 (4 points)
    Applications
    Mar 22, 2016 9:32 PM in response to NHump99

    Same problem here!

  • by nickb834,

    nickb834 nickb834 Mar 23, 2016 1:22 AM in response to NHump99
    Level 1 (0 points)
    Mar 23, 2016 1:22 AM in response to NHump99

    Exactly same here - found this in /var/log/system that describes the issue (IP's redacted)

     

     

    Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: Received a start command from SystemUIServer[288]

    Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to connecting

    Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec connecting to server X.X.X.X

    Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec Phase1 starting.

    Mar 23 08:14:43 Dragunov racoon[236]: accepted connection on vpn control socket.

    Mar 23 08:14:43 --- last message repeated 1 time ---

    Mar 23 08:14:43 Dragunov racoon[236]: IPSec connecting to server X.X.X.X

    Mar 23 08:14:43 --- last message repeated 1 time ---

    Mar 23 08:14:43 Dragunov racoon[236]: Connecting.

    Mar 23 08:14:43 Dragunov racoon[236]: IPSec Phase 1 started (Initiated by me).

    Mar 23 08:14:43 --- last message repeated 1 time ---

    Mar 23 08:14:43 Dragunov racoon[236]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

    Mar 23 08:14:43 Dragunov racoon[236]: >>>>> phase change status = Phase 1 started by us

    Mar 23 08:14:43 --- last message repeated 1 time ---

    Mar 23 08:14:43 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

    Mar 23 08:14:46 --- last message repeated 1 time ---

    Mar 23 08:14:46 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Mar 23 08:14:46 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

    Mar 23 08:14:49 --- last message repeated 1 time ---

    Mar 23 08:14:49 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Mar 23 08:14:49 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

    Mar 23 08:14:52 --- last message repeated 1 time ---

    Mar 23 08:14:52 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Mar 23 08:14:52 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

    Mar 23 08:14:53 --- last message repeated 1 time ---

    Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[:89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnecting

    Mar 23 08:14:53 Dragunov nesessionmanager[417]: IPSec disconnecting from server X.X.X.X

    Mar 23 08:14:53 Dragunov racoon[236]: IPSec disconnecting from server X.X.X.X

    Mar 23 08:14:53 --- last message repeated 3 times ---

    Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnected, last stop reason None




    In addition I updated the iOS install on my iPhone 6 - and the exact same vpn with the exact config still works on my iPhone - so it's just OS X 10.11.4 affected.

  • by DiscoStur,

    DiscoStur DiscoStur Mar 23, 2016 3:07 AM in response to nickb834
    Level 1 (0 points)
    Mar 23, 2016 3:07 AM in response to nickb834

    Hi,

     

    having exakt the same problem, the 10.11.4 update broke native Cisco VPN connection. Seeing the same errors in my error log as @nickb843 posted!

     

    Greets

    Kilian

  • by NHump99,

    NHump99 NHump99 Mar 23, 2016 6:06 AM in response to NHump99
    Level 1 (2 points)
    Mar 23, 2016 6:06 AM in response to NHump99

    Looks like we figured it out.

     

    10.11.4 forces IPsec connections to DF Group 14.  Our vpn was using a lower encryption group.  Once that was changed to a higher level things worked appropriately.

  • by NHump99,

    NHump99 NHump99 Mar 23, 2016 6:08 AM in response to NHump99
    Level 1 (2 points)
    Mar 23, 2016 6:08 AM in response to NHump99

    Mistype in above.  DH Groups, not DF.. need coffee.

  • by DiscoStur,

    DiscoStur DiscoStur Mar 23, 2016 8:56 AM in response to NHump99
    Level 1 (0 points)
    Mar 23, 2016 8:56 AM in response to NHump99

    Thanks @NHump99

     

    Changing the DH Group to version 14 solved our problem. Cisco VPN is working again!

  • by Mperez3100,

    Mperez3100 Mperez3100 Mar 23, 2016 11:59 AM in response to NHump99
    Level 1 (4 points)
    Applications
    Mar 23, 2016 11:59 AM in response to NHump99

    Not working for me, I chosed all groups and only 14, but still not working.

  • by cbrister,

    cbrister cbrister Mar 23, 2016 3:03 PM in response to NHump99
    Level 1 (0 points)
    Mar 23, 2016 3:03 PM in response to NHump99

    Thanks for the tip @NHump99 - working great after updating DH group!

  • by PHV-FR,

    PHV-FR PHV-FR Mar 27, 2016 7:40 AM in response to NHump99
    Level 1 (4 points)
    Mar 27, 2016 7:40 AM in response to NHump99

    Thank you it works for me two but I had to set dhgrp to 14 also for phase 2

     

    So you need to "upgrade" dhgrp to 14 on both phase (1 and 2) configuration

  • by Mperez3100,

    Mperez3100 Mperez3100 Mar 27, 2016 1:36 PM in response to PHV-FR
    Level 1 (4 points)
    Applications
    Mar 27, 2016 1:36 PM in response to PHV-FR

    Still didn't work for me, I tried changing fase 1 and 2, with only 14 group, probably I have to upgrade my Fortinet firewall 100 D, I´m running 5.0 system on it.

     

    thanks all.

  • by cbrister,

    cbrister cbrister Mar 27, 2016 8:41 PM in response to Mperez3100
    Level 1 (0 points)
    Mar 27, 2016 8:41 PM in response to Mperez3100

    @Mperez3100 - I'm running FortiOS 5.4 on multiple FortiGate 60D units. I only updated phase 1, and it started working for me after that...

  • by jafrancov,

    jafrancov jafrancov Mar 28, 2016 8:40 PM in response to Mperez3100
    Level 1 (4 points)
    Mar 28, 2016 8:40 PM in response to Mperez3100

    We also have a FG 100D we keep the DH group 2 and add the 14 on phase 1, everything works after that, running v5.2.6 FOS.

  • by javaHelena,

    javaHelena javaHelena Apr 21, 2016 6:34 AM in response to jafrancov
    Level 1 (4 points)
    Mac OS X
    Apr 21, 2016 6:34 AM in response to jafrancov

    I still have this problem. Any more suggestion on where to look for a solution to this.

    Have updated phase 1 and phase 2 with DH group 14.

     

    Any other client to try?

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Apr 21, 2016 7:06 AM in response to javaHelena
    Level 5 (7,491 points)
    Mac OS X
    Apr 21, 2016 7:06 AM in response to javaHelena

    The common theme seems to be the Cisco Diffle Hillman group policies and the versions numbered 1,3,5. Apparently these should be avoided due to inadequate security (by way of Cisco forum suggestion) and you've done that you may get more Cisco oriented responses on their forums as to the issue.

    https://supportforums.cisco.com/


    from the strictly Mac OS X standpoint I would suggest what not to run on your system, this includes all 3rd party mac utilities for optimization or network, any mac Anti-Virus solution as these are known to cause problems, I'd also shut off any firewall to test, and include the Mac OS X built in VPN as part of that test (provided your VPN sever is set up to receive it) and if nothing else works make sure any device on your local network is not running anything to prevent tunneling. The manfacuter of the device may have a procedure to reset the devices to their defaults, make sure you note your current settings before resetting as you can screen shot on a mac using this procedure

    How to take a screenshot on your Mac - Apple Support


    Outside of that uninstall and reinstall the client in the current account or a new administrative account to test.

    Past that this appears to be a cisco issue at this time, at least as far as Apple would see it in their EULA (see section O.)