Previous 1 2 Next 18 Replies Latest reply: Apr 13, 2010 11:51 PM by Gruene Guy
Gruene Guy Level 1 Level 1 (25 points)
My Mac Pro has been doing some unusual things like one of my saved widgets from Accuweather, shows Cupertino as the city instead of my city of San Antonio, TX. This prompted a comparison of Activity Monitor between my Mac Pro and a 15" MacBook Pro that are both running OS X 10.5.8. Most of the differences in processes that were running were due to different programs loaded on each machine. However, there was one on the Mac Pro that I'm not sure of, and Apple Care support didn't have an answer either, and that is "racoon."

147 racoon root 0.0 1 1.00 MB 586.13 MB Intel




As you see, it is a "root" process that, to me, should be a part of the OS, right? But, this "racoon" process is not on my MBP. Even stranger is, a search of my Mac Pro for 'racoon' shows that it resides on another HD as a ".conf" file in a folder I took from my last G5 in May of 2008. Although I don't recall doing it, I must have transferred my files from that G5 to this Mac Pro.

As for the strange behavior of my Mac Pro not holding some settings, Apple support says the PRAM battery is not the problem, and that this is leaning towards an "Archive and Install" of the OS. So, before I do that, I wanted to post here for a possible explanation as to why "racoon" is on one 10.5.8 machine and not the other, and just what does "racoon" do.

Thanks

GG

Message was edited by: Gruene Guy

Message was edited by: Gruene Guy

Mac Pro, 3.0 Quad, 2GB RAM, Dual Super Drives, Mac OS X (10.5.7), PB 15", PB 17", MBP 15", MBP 17"
  • William Boyd, Jr. Level 6 Level 6 (10,515 points)
    Gruene Guy wrote:
    My Mac Pro has been doing some unusual things like one of my saved widgets from Accuweather, shows Cupertino as the city instead of my city of San Antonio, TX. This prompted a comparison of Activity Monitor between my Mac Pro and a 15" MacBook Pro that are both running OS X 10.5.8. Most of the differences in processes that were running were due to different programs loaded on each machine. However, there was one on the Mac Pro that I'm not sure of, and Apple Care support didn't have an answer either, and that is "racoon."

    147 racoon root 0.0 1 1.00 MB 586.13 MB Intel

    As you see, it is a "root" process that, to me, should be a part of the OS, right? But, this "racoon" process is not on my MBP.


    According to this Web page

    http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/m an8/racoon.8.html

    racoon is a "key management daemon" involving the "SPD (Security Policy Database) in the kernel". It's not running on my MacBook either.
  • Gruene Guy Level 1 Level 1 (25 points)
    William, thanks for quick reply and info. I went to the link and from what I read, this looks like something that might be used when a program crashes and gives the response to send a message to Apple (Report) or ignore, right?


    Gary
  • William Boyd, Jr. Level 6 Level 6 (10,515 points)
    Gruene Guy wrote:
    William, thanks for quick reply and info. I went to the link and from what I read, this looks like something that might be used when a program crashes and gives the response to send a message to Apple (Report) or ignore, right?


    I don't think so. Although the description in that "man" page does spend some text describing racoon's logging behavior, its main function would seem to be "to establish security associations with other hosts. The SPD (Security Policy Database) in the kernel usually triggers racoon."

    Here's a Web page that discusses using racoon with IPSec:

    http://www.unix.com/linux/86125-ipsec-using-racoon-w-kerberos-authentication.htm l
  • Gruene Guy Level 1 Level 1 (25 points)
    OK, I went to the link, but I don't understand what it is that I'm looking at. It seems that this is something for Linux. If that is true, then how did I get it my Mac? Should I be concerned that my system has been, or could be, compromised? Is this spy-ware?


    Just to clarify, I did a search for 'racoon' on my 15" MBP running 10.5.8, and found nothing.

    Gary
  • William Boyd, Jr. Level 6 Level 6 (10,515 points)
    Gruene Guy wrote:
    OK, I went to the link, but I don't understand what it is that I'm looking at. It seems that this is something for Linux. If that is true, then how did I get it my Mac? Should I be concerned that my system has been, or could be, compromised? Is this spy-ware?


    First of all, there doesn't seem to be anything wrong with your computer. Linux and Mac OS X both share a common heritage with Unix. Racoon is a Unix thing, which Mac OS X has inherited. I pointed you to that page in case you wanted to know more about IPSec and racoon. If you don't, just ignore it.

    Just to clarify, I did a search for 'racoon' on my 15" MBP running 10.5.8, and found nothing.


    You probably didn't search enough places. On my Mac OS X 10.5.8 system there's a "racoon" directory in the directory /private/etc . That in turn contains five files, including racoon.conf . The executable file for racoon appears to be in /usr/sbin .

    I have no answer as to what made racoon run on your Mac Pro. If I had to guess, I'd think it was some software that was installed on it or a predecessor system.
  • etresoft Level 7 Level 7 (26,590 points)
    Racoon is part of an open-source VPN client. It is installed on my 10.5.8 machine. It is nothing to worry about.

    Do you have other specific problems that make you want to re-install. It sounds like you just have some corrupt/missing preference files.
  • Gruene Guy Level 1 Level 1 (25 points)
    William, I really, really appreciate your help. Other than being totally lost trying to find "private/etc" and "/usr/sbin" anywhere on my Mac, I guess what has me concerned is that this 'racoon' is a working process that shows in the activity monitor. And, as you've said, on my Mac is a file named "private/etc/racoon.conf." And that file resides on a hardrive that is NOT my startup drive. When I double click that file, AppleWorks 6.x starts and then I see this:



    # $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $



    # "path" must be placed before it should be used.

    # You can overwrite which you defined, but it should not use due to confusing.

    path include "/etc/racoon" ;

    #include "remote.conf"; ;



    # search this file for presharedkey with various ID key.

    path presharedkey "/etc/racoon/psk.txt"; ;



    # racoon will look for certificate file in the directory,

    # if the certificate/certificate request payload is received.

    path certificate "/etc/cert" ;



    # "log" specifies logging level. It is followed by either "notify", "debug"

    # or "debug2".

    #log debug;



    # "padding" defines some parameter of padding. You should not touch these.

    padding

    {

    maximum_length 20; # maximum padding length.

    randomize off; # enable randomize length.

    strict_check off; # enable strict check.

    exclusive_tail off; # extract last one octet.

    }



    # if no listen directive is specified, racoon will listen to all

    # available interface addresses.

    listen

    {

    #isakmp ::1 [7000];

    #isakmp 202.249.11.124 [500];

    #admin [7002]; # administrative's port by kmpstat.

    #strict_address; # required all addresses must be bound.

    }



    # Specification of default various timer.

    timer

    {

    # These value can be changed per remote node.

    counter 5; # maximum trying count to send.

    interval 20 sec; # maximum interval to resend.

    persend 1; # the number of packets per a send.



    # timer for waiting to complete each phase.

    phase1 30 sec;

    phase2 15 sec;

    }



    remote anonymous

    {

    #exchange_mode main,aggressive;

    exchange_mode aggressive,main;

    doi ipsec_doi;

    situation identity_only;



    #my_identifier address;

    my_identifier user_fqdn "macuser@localhost";

    peers_identifier user_fqdn "macuser@localhost";

    #certificate_type x509 "mycert" "mypriv";



    nonce_size 16;

    lifetime time 1 min; # sec,min,hour

    initial_contact on;

    support_mip6 on;

    proposal_check obey; # obey, strict or claim



    proposal {

    encryption_algorithm 3des;

    hash_algorithm sha1;

    authentication_method presharedkey ;

    dh_group 2 ;

    }

    }



    remote ::1 [8000]

    {

    #exchange_mode main,aggressive;

    exchange_mode aggressive,main;

    doi ipsec_doi;

    situation identity_only;



    my_identifier user_fqdn "macuser@localhost";

    peers_identifier user_fqdn "macuser@localhost";

    #certificate_type x509 "mycert" "mypriv";



    nonce_size 16;

    lifetime time 1 min; # sec,min,hour



    proposal {

    encryption_algorithm 3des;

    hash_algorithm sha1;

    authentication_method presharedkey ;

    dh_group 2 ;

    }

    }



    sainfo anonymous

    {

    pfs_group 1;

    lifetime time 30 sec;

    encryption_algorithm 3des ;

    authentication_algorithm hmac_sha1;

    compression_algorithm deflate ;

    }



    # sainfo address 203.178.141.209 any address 203.178.141.218 any

    # {

    # pfs_group 1;

    # lifetime time 30 sec;

    # encryption_algorithm des ;

    # authentication_algorithm hmac_md5;

    # compression_algorithm deflate ;

    # }



    sainfo address ::1 icmp6 address ::1 icmp6

    {

    pfs_group 1;

    lifetime time 60 sec;

    encryption_algorithm 3des, cast128, blowfish 448, des ;

    authentication_algorithm hmac_sha1, hmac_md5 ;

    compression_algorithm deflate ;

    }





    Again, this is not on my startup disk, but somehow I have an active process. I know I can stop the process, but how do I stop it and permanently remove it?


    Gary
  • William Boyd, Jr. Level 6 Level 6 (10,515 points)
    Gruene Guy wrote:
    William, I really, really appreciate your help. Other than being totally lost trying to find "private/etc" and "/usr/sbin" anywhere on my Mac, I guess what has me concerned is that this 'racoon' is a working process that shows in the activity monitor. And, as you've said, on my Mac is a file named "private/etc/racoon.conf." And that file resides on a hardrive that is NOT my startup drive.


    I'm guessing that it is on your startup drive. otherwise your computer wouldn't be running it. Those directories aren't normally shown in the Finder, as a typical user has no business working in those directories. I wouldn't recommend that you do anything to disturb those directories until you acquire a lot more expertise.

    To see what's in those directories, use the Finder menu item Go -> Go to Folder . Type "/private/etc" or "/usr/sbin" (with a leading slash but without the quotes on either case), then click the "Go" button.

    I'd guess that "etresoft" may have an idea that your computer (or its predecessor) may have used a VPN client.
  • Gruene Guy Level 1 Level 1 (25 points)
    To clarify etresoft's comment, I would first have to ask, "what is VPN?" I believe it has something to do with a network, usually corporate, and someone from I/T would install or give directions how to setup on the company network. All of my Macs are used personally, in my home. I would like to ask if either of you have had Virtual PC installed on a Mac. I no longer own the G5, but at one time I had installed Virtual PC on at least a G4 PowerBook and I might have copied files from the PowerBook to the G5.


    As far as other problems, yes they do seem minor and could be preference related. They include such things as:
    1) my two AccuWeather widgets might default to Cupertino when I first activate
    Dashboard
    2) my Radar in Motion widget won't hold settings from one start-up to another
    3) EyeTV 3.2 has 'forgotten' how to shade the "eyeTV" section of the controller
    in red when recording
    4) on occasion the startup chime has taken over 10 seconds to sound at startup
    5) hard drives (counting startup volume I have 4) seem to be reading/writing for
    no apparent reason and if I activate Activity Monitor usually it is a
    kernel task that is running



    I've reset PRAM (forgotten how to reset NV-RAM if that is still necessary on Intel Macs), moved pref.panes out and then restarted, but these things continue. Apple support says they don't believe that the PRAM battery is bad, mainly because I haven't seen any date/time changes.

    William, thanks for that info. I finally found it and I've found it on my MBP, thanks to your help. But, it is not running on the MBP. In fact, the created, modified, and opened dates on the MBP show 10/5/07. Strange.

    Anyway, I may just start all over with an archive and install.


    Gary
  • etresoft Level 7 Level 7 (26,590 points)
    Gruene Guy wrote:
    what is VPN?


    A Virtual Private Network. It allows you to establish a connection between your computer and some other network and have your computer "belong" to that network. All data is encrypted while in transit on the Internet. I use a VPN to work from home. My wife uses a different VPN to watch US TV shows from Canada.

    As far as other problems, yes they do seem minor and could be preference related. They include such things as:
    1) my two AccuWeather widgets might default to Cupertino when I first activate
    Dashboard
    2) my Radar in Motion widget won't hold settings from one start-up to another
    3) EyeTV 3.2 has 'forgotten' how to shade the "eyeTV" section of the controller
    in red when recording


    Maybe delete the associated preference files for these widgets and let them create new ones.

    4) on occasion the startup chime has taken over 10 seconds to sound at startup
    5) hard drives (counting startup volume I have 4) seem to be reading/writing for
    no apparent reason and if I activate Activity Monitor usually it is a
    kernel task that is running


    MacOS X is always doing things in the background.

    Anyway, I may just start all over with an archive and install.


    It sounds like most of your problems are just preference files. That can be a problem. If you reinstall the OS and use the automated tools to migrate all your settings, you could wind up re-importing all your old problems. Going from a PPC machine to an Intel is a big step. It might be better to reinstall the OS from scatch, reinstall your applications, and manually copy your old user files back in. Be very careful with the contents of the Library folder in your home directory. It sounds like that is where most of your problems are. When I make a big upgrade, I always start with a fresh Library folder. I keep the old one around (named Library_old) so I can copy specific items out of it as I need them. I find that the only things out of there I really need to save from machine to machine are the Mail folders and preference files, Address Book and Calendar folders and preference files, and keychains. Everything else can be easily re-created.
  • Gruene Guy Level 1 Level 1 (25 points)
    I decided to try Little Snitch, and found out some more interesting stuff. First, Little Snitch gave me a warning for a kernel task, at start-up, that was trying to connect to "IPV-6-ICMP." Second, at shut-down, my Mac Pro was trying to connect to "pm-member.mac.com via port 5354." I've looked at this forum and googled "pm-members.mac.com" and everything seems to indicate this is related to Back To My Mac. That may be, but I don't have that running.


    Oh there is one (actually two) more interesting thing that I found when I ran Activity Monitor on the Mac Pro and that is:

    1) coreaudio (Not Responding)
    2) UserEventAgent (Not Responding)

    And, you guessed it, they are both running on my 15" MBP.

    Gary
  • etresoft Level 7 Level 7 (26,590 points)
    Gruene Guy wrote:
    I decided to try Little Snitch


    Nice program. It is very handy to keep some SPAM e-mail from connecting to some casino site.

    found out some more interesting stuff. First, Little Snitch gave me a warning for a kernel task, at start-up, that was trying to connect to "IPV-6-ICMP." Second, at shut-down, my Mac Pro was trying to connect to "pm-member.mac.com via port 5354." I've looked at this forum and googled "pm-members.mac.com" and everything seems to indicate this is related to Back To My Mac. That may be, but I don't have that running.

    None of that really sounds unusual. I have never had Little Snitch say anything about those connections, but then I keep it set to mostly default options.

    Oh there is one (actually two) more interesting thing that I found when I ran Activity Monitor on the Mac Pro and that is:

    1) coreaudio (Not Responding)
    2) UserEventAgent (Not Responding)


    That doesn't sound good. What is the CPU % of those tasks? If rebooting doesn't clear that up, you have some problem not related to racoon.
  • Gruene Guy Level 1 Level 1 (25 points)
    Etresoft...

    Thanks for the info. Apple Support was also concerned about the two normal functions that weren't responding, too.

    One more thing I'd like to ask, I have an extra external drive and was thinking about using it to put my original OS X (10.4.x) on (the 10.5.x was the $9.95 upgrade disk that Apple offered to qualified purchasers in October of 2007 and I'm not sure if I can use it to 'start from scratch'). That is possible, right? And if so, then I would just use System Preferences to choose which start up disk to boot from. If the answer is 'no you can't do that,' then I could just install the drive in bay 1 and go from there.

    Gary


    p.s.: hope you had a Happy Thanksgiving

    Message was edited by: Gruene Guy
  • etresoft Level 7 Level 7 (26,590 points)
    I've never had one of those "special upgrade" deals, but I think they are all just as good as retail. You can certainly try it for yourself. Can't hurt.
Previous 1 2 Next