Internet issues on Monterey

This is an issue with Intel-based Macbook Pros running Monterey 12.1 and AnyConnect Client 4.9+  It appears AnyConnect Client 4.8.00175 is extremely stable on Monterey 12.1. I installed it yesterday and confirmed stats on UDP protocol remains below 100 at all times using command 

netstat -anxv -p udp | wc -l

With newer versions of AnyConnect client 4.9+, stats exceed 150,000.  Please uninstall your current version of AnyConnect client on your Macbook Pro with Monterey 12.1 and install 4.8.00175

The update to Monterey 12.2 seems to have fixed the issue with DNS stopping working after a time. I've been running netstat -anxv -p udp | wc -l after applying the update and instead of it counting up and up and up till DNS stops working. The number has been going up and down staying under 100 vs counting up to 30K+. It seems like something is cleaning up old UDP sessions.

In short upgrade to 12.2

Here's a blurb on it from Cisco AnyConnect client release notes:

DNS (Name Resolution) on macOS 12.x May Fail

Those running AnyConnect on macOS 12.x may experience a loss of DNS (name resolution), requiring a reboot for restoration. The cause has been identified as a macOS bug, which is being addressed in macOS 12.3 (FB9803355). Upon upgrade to macOS 12.3, the issue will no longer occur.

Taken from here:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html#Cisco_Reference.dita_a0e4aed2-99c2-4189-a6ae-bd740e706c98

Ok everyone. I've devoted a massive amount of time and resources on this issue and wanted to share our findings.

1) Apple's Cross-Platform Engineering team is aware of this issue, and has been struggling on nailing it down as it manifests slightly differently for each customer.

2) We have validated this issue exists on Big Sur, Monterey, and Ventura

3) Our findings indicate that the main cause of the "locked" ports is network drive mappings utilizing SMB

a) We have validated this on a fresh out of the box Mac, no security agents, socket filters, or MDM installed. ONLY Active Directory joined and mapped network drives. We have uploaded all data to Apple.

b) Mapping network drives instantly will start creating these locked ports

4) Creating a nsmb.conf file, and using that to change SMB mount behavior from hard mounts to soft mounts eliminates any locked port creation. We are in process of validating this on a build with the full load of security agents and socket filters. First 18 hours of testing is showing zero locked ports. I've included the script we are deploying via JAMF to create this config file at the bottom of this reply.

Hopefully this info helps others who are also struggling. To be clear, the changes I outlined are not a true fix, as the underlying root cause is in Apple's hands at this point. However, it does eliminate the symptoms and prevent the network disconnect issues from occurring.

Script to create the nsmb.conf file

#!/bin/zsh

cat << 'EOF' > /etc/nsmb.conf

[default]

soft=yes

EOF

chown root:wheel /etc/nsmb.conf

chmod 744 /etc/nsmb.conf

There seems to be an issue between macOS Monterey and some other 3rd Party applications, in our case Cisco's 'AnyConnect Client'. macOS opens UDP sockets to serve its mDNS process as a normal operation behaviour, and for some reason, Cisco AnyConnect presence prevents the macOS to close down those unused sockets. Give it enough time, eventually, macOS runs out of sockets and cannot open a new one for a simple operation like a DNS query. That's why you see a DNS request fails, and that's why a reboot fixes the issue. We are talking with our vendor (Cisco) and they have an open conversation with Apple's team. I hope they can figure it out soon.

I have been seeing this same issue, and to work around it I went into System Preferences -> Network and selected Cisco AnyConnect Socket Filter in the left hand pane (there are actually two instances of the Cisco AnyConnect Socket Filter and I chose the one that had a description of Please use “Cisco AnyConnect Socket Filter” to control this DNS proxy configuration). Then click the options pull down menu (the button that has three dots and a down arrow) and chose Make Service Inactive) then click the Apply button. After that, DNS service was restored. Will continue to monitor for reoccurrence.

I can confirm this is the correct explanation.

The number of sockets in use can be monitored using Terminal: netstat -an | grep -e tcp -e udp | wc -l

Over the course of several hours and days, the reported number will gradually creep up until it reaches the default system limit of 16383, at which point a reboot is needed. In my case, the application that keeps opening all these sockets is com.cisco.anyconnect.macos.acsockext, which is the "Cisco AnyConnect Socket Filter Extension" that creates a new UDP socket for every DNS query originating from the systeem. Other applications may be culprits as well.

As you mentioned, the bug is not that AnyConnect creates these sockets, but rather that Monterey does not time these UDP sockets out after they have been used, which should typically be the case after 2 minutes (IIRC) inactivity. As a result, these old sockets keep lingering while new sockets continue to be created until eventually the resource is exhausted and a reboot is required. Monterey 12.1 does not yet fix this problem.

Do you have a Cisco bug number for this?

Hey, I also came to the same conclusion, for the people running/using Cisco AnyConnect that is the case, perhaps others that don't have AnyConnect but still are seeing this issue, then it should be another application with similar behaviour that causes the issue. We've been advised by Cisco that this is not Cisco AnyConnect bug/issue but macos. They have filed a bug report to Apple under FB9803355 bug. So far I've tested it with different Cisco AnyConnect versions but it is the same case even with the latest update 4.10.04071.

Adding to my own and others' earlier posts...

My employer also pushes a regular patch to Cisco AnyConnect about every day or two and this adds in the second instance of "Cisco AnyConnect Socket Filter" in the Network Preferences column on the right side of the panel. Effectively, this breaks DNS and connectivity. A simple removal of this restores connectivity and I go back to the same time interval of a day or two of unfettered connectivity, then cycle repeats. I have observed this for the last week.

Better situation, but still not completely fixed. It appears Cisco has opened a case with Apple and we can only hope that this is addressed in an update soon. FWIW, I updated to the latest version of AnyConnect from my work.

I'll repost if there are any material changes to the situation and appreciate others' comments very much!

-FightingIbis

While my previous 2 answers are not wrong, I still encountered the same problem. And again I did 'solve' it:

I am using somewhat outdated (latest firmware update: 2018) power line adapters (TP-link TL-WPA8630P V2) to connect from one room to the next.

When I encounter the problem I also notice the power line icon on my power line adapter is off. If I remove both power line adapters from the power socket and put them back in after a few moments all connectivity is restored.

Only while using Ethernet did I have a problem connecting this morning, when turning on WiFi everything worked as expected.

macOS 12.2 is out now, you may go ahead and upgrade. It seems Apple has resolved the bug on this release. I've done some tests, and it seems the behavior with Cisco AnyConnect also has changed and UDP sockets are no longer the problem.

I had the same error was able to mitigate for 10 minutes at a time by running

-sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder

It looks like the culprit was ipv6, after i disabled it completely my DNS issues stopped.

in terminal run:

networksetup -setv6off Wi-FI

or for cabled connection

networksetup -setv6off Ethernet

Just wondering if other people facing this problem on 12.2.1 have any kind of network filter installed? I have found that Cisco Anyconnect Socket Filter DNS proxy is what seems to cause me problems. I need to disable that in the System Preferences->Network panel (Set Service Inactive, Apply).

I have this issue with multiple users. The only thing that seems to fix it is to change the DNS to CloudFlare (1.1.1.1 and 1.0.0.1). Not ideal for my work environment but is a bandaid till Apple fixes the issue. We notice it on 12.3 and 12.3.1 Monterey and mainly on M processor machines. It could be happening on Intel machines but we have not seen reports of it yet.

Do any of you all have Cisco Anyconnect VPN on your machine? If so remove it. That solved the issues I was seeing with my customers. It's not a fix, especially if you need to use Cisco VPN, it's more of a bandaid. Just having the program on your machine will add Socket Filters to your network settings. One of them says it controls the DNS proxy config (see image). You can delete that socket filter and the network will work again once you restart the programs using the internet or better yet restart the computer. Once you connect to the VPN again that socket filter will be added back so you will need to remember to delete it again. Again not a fix but a solution for not deleting Cisco Anyconnect but still being about to use the internet. I would assuming this is a DNS issue. The customers I have worked with are connected to the internet but cannot connect to sites or resources. That is typical of a DNS issue. Anyway hope that helps some of you.