-
All replies
-
Helpful answers
-
-
Mar 23, 2016 1:22 AM in response to NHump99by nickb834,Exactly same here - found this in /var/log/system that describes the issue (IP's redacted)
Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: Received a start command from SystemUIServer[288]
Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to connecting
Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec connecting to server X.X.X.X
Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec Phase1 starting.
Mar 23 08:14:43 Dragunov racoon[236]: accepted connection on vpn control socket.
Mar 23 08:14:43 --- last message repeated 1 time ---
Mar 23 08:14:43 Dragunov racoon[236]: IPSec connecting to server X.X.X.X
Mar 23 08:14:43 --- last message repeated 1 time ---
Mar 23 08:14:43 Dragunov racoon[236]: Connecting.
Mar 23 08:14:43 Dragunov racoon[236]: IPSec Phase 1 started (Initiated by me).
Mar 23 08:14:43 --- last message repeated 1 time ---
Mar 23 08:14:43 Dragunov racoon[236]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Mar 23 08:14:43 Dragunov racoon[236]: >>>>> phase change status = Phase 1 started by us
Mar 23 08:14:43 --- last message repeated 1 time ---
Mar 23 08:14:43 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0
Mar 23 08:14:46 --- last message repeated 1 time ---
Mar 23 08:14:46 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 23 08:14:46 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0
Mar 23 08:14:49 --- last message repeated 1 time ---
Mar 23 08:14:49 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 23 08:14:49 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0
Mar 23 08:14:52 --- last message repeated 1 time ---
Mar 23 08:14:52 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 23 08:14:52 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0
Mar 23 08:14:53 --- last message repeated 1 time ---
Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[:89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnecting
Mar 23 08:14:53 Dragunov nesessionmanager[417]: IPSec disconnecting from server X.X.X.X
Mar 23 08:14:53 Dragunov racoon[236]: IPSec disconnecting from server X.X.X.X
Mar 23 08:14:53 --- last message repeated 3 times ---
Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnected, last stop reason None
In addition I updated the iOS install on my iPhone 6 - and the exact same vpn with the exact config still works on my iPhone - so it's just OS X 10.11.4 affected.
-
Mar 23, 2016 3:07 AM in response to nickb834by DiscoStur,Hi,
having exakt the same problem, the 10.11.4 update broke native Cisco VPN connection. Seeing the same errors in my error log as @nickb843 posted!
Greets
Kilian
-
Mar 23, 2016 6:06 AM in response to NHump99by NHump99,Looks like we figured it out.
10.11.4 forces IPsec connections to DF Group 14. Our vpn was using a lower encryption group. Once that was changed to a higher level things worked appropriately.
-
Mar 23, 2016 6:08 AM in response to NHump99by NHump99,Mistype in above. DH Groups, not DF.. need coffee.
-
Mar 23, 2016 8:56 AM in response to NHump99by DiscoStur,Thanks @NHump99
Changing the DH Group to version 14 solved our problem. Cisco VPN is working again!
-
Mar 23, 2016 11:59 AM in response to NHump99by Mperez3100,Not working for me, I chosed all groups and only 14, but still not working.
-
Mar 23, 2016 3:03 PM in response to NHump99by cbrister,Thanks for the tip @NHump99 - working great after updating DH group!
-
Mar 27, 2016 7:40 AM in response to NHump99by PHV-FR,Thank you it works for me two but I had to set dhgrp to 14 also for phase 2
So you need to "upgrade" dhgrp to 14 on both phase (1 and 2) configuration
-
Mar 27, 2016 1:36 PM in response to PHV-FRby Mperez3100,Still didn't work for me, I tried changing fase 1 and 2, with only 14 group, probably I have to upgrade my Fortinet firewall 100 D, I´m running 5.0 system on it.
thanks all.
-
Mar 27, 2016 8:41 PM in response to Mperez3100by cbrister,@Mperez3100 - I'm running FortiOS 5.4 on multiple FortiGate 60D units. I only updated phase 1, and it started working for me after that...
-
Mar 28, 2016 8:40 PM in response to Mperez3100by jafrancov,We also have a FG 100D we keep the DH group 2 and add the 14 on phase 1, everything works after that, running v5.2.6 FOS.
-
Apr 21, 2016 6:34 AM in response to jafrancovby javaHelena,I still have this problem. Any more suggestion on where to look for a solution to this.
Have updated phase 1 and phase 2 with DH group 14.
Any other client to try?
-
Apr 21, 2016 7:06 AM in response to javaHelenaby JimmyCMPIT,The common theme seems to be the Cisco Diffle Hillman group policies and the versions numbered 1,3,5. Apparently these should be avoided due to inadequate security (by way of Cisco forum suggestion) and you've done that you may get more Cisco oriented responses on their forums as to the issue.
https://supportforums.cisco.com/
from the strictly Mac OS X standpoint I would suggest what not to run on your system, this includes all 3rd party mac utilities for optimization or network, any mac Anti-Virus solution as these are known to cause problems, I'd also shut off any firewall to test, and include the Mac OS X built in VPN as part of that test (provided your VPN sever is set up to receive it) and if nothing else works make sure any device on your local network is not running anything to prevent tunneling. The manfacuter of the device may have a procedure to reset the devices to their defaults, make sure you note your current settings before resetting as you can screen shot on a mac using this procedure
How to take a screenshot on your Mac - Apple Support
Outside of that uninstall and reinstall the client in the current account or a new administrative account to test.
Past that this appears to be a cisco issue at this time, at least as far as Apple would see it in their EULA (see section O.)