Previous 1 2 3 4 5 Next 74 Replies Latest reply: Feb 16, 2016 12:03 PM by FJS_NY Go to original post
  • Fotos Georgiadis Level 1 Level 1

    Haven't check it on Mountain Lion, yet. Pity Apple hasn't fixed it. Glad some people report that the workaround still works tho! Thanks Ripxmax2000.

  • Fotos Georgiadis Level 1 Level 1

    I filled bug ID# 12449876 in the Apple Radar (Bug reporting system) for this issue. Perhaps if a lot of us do the same and refer to this bug #ID (12449876) and this thread Apple might give it some attention and fix it in a nice and clean  / native way.

  • dscott8201 Level 1 Level 1



    After reading this, I am happy that I am not insane.  It is VPN device independent.  I am using the built in client on 10.6.8 and connecting to Fortinet devices.  Iphones and Ipads work fine, IMAC's drop around the 45 minute mark.  I have a distributed setup, so I am going to try that automated patch and let you know.


    I would seriously like Apple to fix this natively.

  • amsoares Level 1 Level 1



    Any news about this ? I have a customer complaining about the same problem. He was using Cisco IPsec but the connection to the protected networks was lost after a few hours of uptime. Then he moved to L2TP/IPsec but now he has the 45 minute problem discussed here. Can you show us what is in the bug you opened ?



  • Fotos Georgiadis Level 1 Level 1

    Hey amsoares,


    my bug report was marked as a duplicate of #11871577 which is still Open. So Apple certainly knows about it. The question is when / whether they will do anything about it.


    Allegedly, internally Apple prioritizes bugs based on the buzz they generate on the Radar. So if you want to help out and you are a developer or have a developer Apple ID handy, login to the bug reporter and create a new bug report, preferrably referencing either my bug # or the one above.


    My bug report was:


    07-Oct-2012 07:16 PM Fotos Georgiadis:



    The built-in IPsec VPN drops connection with the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted". Since the most common Cisco configuration out there is to have an IKE rekey attempt every 45 or so minutes, this makes remote work cumbersome.


    Steps to Reproduce:

    1. Create a IPSec VPN connection to a Cisco endpoint (through System Preferences).

    2. The security-association lifetime and policy on the Cisco should be small enough (3 minutes for triggering the problem). The default is 45 to 60 minutes

    3. Connect to the VPN

    4. Watch as the lifetime of the connection passes by:

        $ sudo racoonctl ss ipsec

    5. When the time ends the connection will be dropped and the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted" will be printed in the console.


    Unfortunately I don't have access to the precise Cisco configuration that will trigger the issue. But as you can also see in the thread mentioned below it's a common occurrence and other people might be able to provide a detailed configuration.


    Expected Results:

    The connection should stay up, or at least provide a dialog asking for credentials (again).


    Actual Results:

    The connection drops.




    Much more info (and a workaround) provided on this thread:


    Detailed explanation tracing the issue in the source code:




    Hope you manage to solve your issue. Didn't my suggested workaround work for your client?

  • amsoares Level 1 Level 1



    Thank you very much for your answer. I think the customer tried the workaround you found without success but i will check that again. In this case, i am the cisco guy. I opened a case with cisco and they say the problem in the apple side and that they cannot do anything. They have a bug as well but it's marked as closed:

    CSCsh67528 Bug Details

    L2TP/IPsec OSX client disconnection after 45 minutes when NAT-T in used

    L2TP/IPsec OSX client disconnects after 45 minutes

    If NAT is in the middle and NAT-T is negotiated.

    Use latest MacOS Client 10.7.3 and ASA version above, or 8.4.3.

    Further Problem Description:
    The OSX side fails to rekey the Phase 1 as initiated by the ASA

    The workaround they mention is not valid as well.



  • mckinasole Level 1 Level 1

    I have a script that will fix this. If you interested let me know and ill send it to you.

  • mckinasole Level 1 Level 1






    printHelp ()



         echo -e "\tPurpose: For fixing and unfixing your vpn connections"

         echo -e "\tUsage: sudo `basename $0` [options]\n"

         echo -e "\tOptions"

         echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

         echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

         echo -e "\tunprep\t - unfixes racoon.conf."

         echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

         echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

         echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

         echo -e "\tunfix\t - run after your done with the vpn."

         echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"




    if [ $# -lt $EXPECTED_ARGS ]



    exit $E_BADARGS




    if [ $1 = prep ]



    mkdir -p /etc/racoon/remote

    echo -e "creating directory /etc/racoon/remote \n"

    cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

    echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"


    echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

    echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'




    if [ $1 = unprep ]



    rm -rf /etc/racoon/remote

    echo -e "removing directory /etc/racoon/remote \n"


    sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf


    echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'




    if [ $1 = fix ]


    mv /var/run/racoon/*.conf /etc/racoon/remote


    sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf


    sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf



    launchctl stop

    launchctl start





    if [ $1 = unfix ]


    sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

    rm -f /etc/racoon/remote/*


    launchctl stop

    launchctl start





  • Fotos Georgiadis Level 1 Level 1

    Hello again amsoares,


    I couldn't change the Cisco configuration (beyond my control), but as I mentioned above you could either change the security association lifetime, as I already have hinted above in a previous reply, using:


    crypto ipsec security-association lifetime


    or change the default lifetime of the isakmp policy:


    crypto isakmp policy


    Keep in mind that I haven't tried any of these, they might work, they might not, they have security implications which you should fully understand before changing things, and of course all standard disclaimers apply, etc. etc. Please consult your Cisco documentation or Cisco directly if you change these settings in a production environment.


    As Cisco said the problem lies in Apple's side. You could try the script posted by mckinasole below, who, unfortunately, replied in the wrong question. The script basically does what I described in my solution above but in an automated / scripted way. I haven't tried the script as well, so YMMV.


    Good luck!

  • amsoares Level 1 Level 1



    Can you please clarify if the script/workaround is only valid for IPsec connections, and not valid for L2TP/IPsec connections ?

    My customer had the 45 min problem after moving from IPsec to L2TP/IPsec. It seems that people posting here that have the same problem are talking about IPsec, not L2TP/IPsec.



  • Fotos Georgiadis Level 1 Level 1

    Γειά σου amsoares,


    honestly I have no idea if L2TP / IPsec connections are setup throught racoon or a different process. The script and the workaround are for the "Cisco IPsec" option. Haven't tried it with L2TP / IPsec, which might setup the connection in a completely different way. Yes, people here talk about the IPsec option not the L2TP / IPSec one, AFAIK.


    If I were you, I'd get my hands on a Mac and try to debug it from there. It's kinda futile if you can't test things yourself.



  • mviltan Level 1 Level 1

    I too have logged a bug: 13015443 - duplicate of #11871577  and have had a response. I was told to:


    as root edit /etc/racoon/racoon.conf


    uncomment the line:

    #log debug;

    and add the line:

    path logfile "/var/log/racoon.log";



    And send them the log. So I had another machine which I did not apply the fix to and sent them the log after it disconneted. I will let you know when I get an update.

  • amsoares Level 1 Level 1

    Did you get any feedback about this ?



  • mviltan Level 1 Level 1

    not yet!

  • mohamedridha Level 1 Level 1

    Hi there


    I have made the exact changes however my connection is still picking up key life of 3600 This is output



    sudo racoonctl ss ipsec

              esp mode=tunnel spi=3835192342(0xe4986416) reqid=0(0x00000000)

              E: aes-cbc  72e6332f fdb28718 74c335f8 beb65d4a 5272d5d4 eb4bae29 89b707b6 d7ab8be9

              A: hmac-sha1  50bfbd0d 0ca4dcc6 1059c768 2ea767a4 314cd7bd

              seq=0x000000bb replay=4 flags=0x00000006 state=mature

              created: Mar  7 12:12:51 2013          current: Mar  7 12:12:57 2013

              diff: 6(s)          hard: 3600(s) soft: 2880(s)

              last: Mar  7 12:12:57 2013          hard: 0(s)          soft: 0(s)

              current: 55744(bytes)          hard: 0(bytes)          soft: 0(bytes)

              allocated: 187          hard: 0          soft: 0

              sadb_seq=1 pid=9712 refcnt=2

              esp mode=tunnel spi=208470779(0x0c6d02fb) reqid=0(0x00000000)

              E: aes-cbc  fa3964d5 359abf9c 8b0d20ea acf2fcdc c48bd526 41f4fd7b b5264680 82378a31

              A: hmac-sha1  a7f1edd3 d2f3ca50 d4790813 0fba2513 40b8856c

              seq=0x00000057 replay=4 flags=0x00000006 state=mature

              created: Mar  7 12:12:51 2013          current: Mar  7 12:12:57 2013

              diff: 6(s)          hard: 3600(s) soft: 2880(s)

              last: Mar  7 12:12:56 2013          hard: 0(s)          soft: 0(s)

              current: 15382(bytes)          hard: 0(bytes)          soft: 0(bytes)

              allocated: 87          hard: 0          soft: 0

              sadb_seq=0 pid=9712 refcnt=2



    I have followed the instructions, not sure why it still is not working?