Yosemite VPN (PPTP) issue

I noticed this trouble too after upgrading to Yosemite. I use BTGuard and it was working fine before I upgraded from Mavericks. My upgrade was a complete clean install (Erase HD etc and no use of migration assistant) so I am working on a virgin install of 10.10 and I am using a static IP (Not DHCP)

When I tried to connect to the VPN I'd get the folling dialog:

After reading the comments in this thread I tried creating a new Location in my Network system preferences for a DHCP configuration. As soon as I switched to the DHCP the VPN service started working perfectly, just as it did before Mac OS X 10.10. I tested the VPN service on both WiFi and Ethernet in a DHCP configuration and it works fine.

During this trouble shooting I did turn on the "Use verbose logging" and I issued the following command into the Terminal.app:

tail -f /var/log/ppp.log

This allowed me to see what was going on "Behind the scenes".

On a side note...

My experience with BTGuard is good except my connection drops randomly. Sometimes ≈ 15 minutes to hours. no pattern I can see.

So I made the following Applescript (I'm sharing it here incase it will help any of you:

=-=-=-=-=-=

on idle

tell application "System Events"

tell current location of network preferences

set myConnection to the service "BTGuard VPN"

if myConnection is not null then

if current configuration of myConnection is not connected then

connect myConnection

end if

end if

end tell

return 10

end tell

end idle

=-=-=-=-=-=

Thanks again for the help in this thread getting my VPN running and hopefully Apple will get this bug fixed soon!

~e

I have the same problem here: Using GlobalProtect VPN and got no connection after updating to Yosemite. The TCP/IP IPv4 is set to DHCP and I have already tested it with a new network location but everything failed on WLAN as well as on ethernet. Is there any solution available?

BTW: After the GlobalProtect App tried to dial in several times it freezes and I can only start a new dial in after rebooting the Mac. There is also no possibility to quit the GlobalProtect App, only deinstallation works - am I using the last version? It is 2.0.4-6.

I am on home office using my own device (iMac) and it is a real pitty to have no vpn access. Thanks for any help in advance!

Yeah, this is not good. Had been using GlobalProtect under Mavericks fine but upgrading to Yosemite has broken it. I am looking into how the GlobalProtect client works. In the PanGPS.log, there is a line that says:

PanGPS.log:/Applications/GlobalProtect.app/Contents/Resources/pangpd.kext failed to load - (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).

And if you go to the system.log it says:

Oct 24 19:41:28 JMBP com.apple.kextd[20]: ERROR: invalid signature for com.paloaltonetworks.kext.pangpd, will not load

If you look at the code signing of the pangpd.kext module, it shows:

/Applications/GlobalProtect.app/Contents/Resources$ codesign -dvvv pangpd.kext

Executable=/Applications/GlobalProtect.app/Contents/Resources/pangpd.kext/Conten ts/MacOS/pangpd

Identifier=com.paloaltonetworks.kext.pangpd

Format=bundle with Mach-O universal (i386 x86_64)

CodeDirectory v=20100 size=161 flags=0x0(none) hashes=1+3 location=embedded

Hash type=sha1 size=20

CDHash=f364362f8102acf58e02d150797c5b2db39d858c

Signature size=4230

Authority=Developer ID Application: Palo Alto Networks

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Signed Time=Dec 16, 2013, 9:10:28 PM

Info.plist entries=17

TeamIdentifier=not set

Sealed Resources version=1 rules=4 files=1

Internal requirements count=0 size=12

If you check to see if the Mac thinks it is a valid signature, it shows:

codesign --verify -vvvv pangpd.kext

pangpd.kext: invalid signature (code or signature have been modified)

In architecture: x86_64

I'm reading a posting here:http://stackoverflow.com/questions/24986390/kext-with-invalid-signature-can-load -on-one-machine-but-not-the-other-why

It looks like for now so I can get back in business, I can put my kernel into a mode where it will ease the code signing restrictions. I'm going to try this command and reboot:

sudo nvram boot-args="kext-dev-mode=1"

Great news everyone!!!

Just did my reboot after setting kext-dev-mode=1 and vpn is now working again!

I could verify that doing a netstat -an | grep 4767, the service was now running. The client then connected and everything is good.

I'm sure there is probably a danger to my computer by letting it run these "untrusted" or kext programs that arn't blessed by Apple - but for now I'm good with it. I can get back into my corporate network.

If anyone can get the ear of Palo Alto, you might want to see if they can fix their code signing on the kext! Please respond here to this forum since I looked all over google for people reporting this issue, and this seems to be the only place it has been reported.

I will try to get my network team to hook me up with Palo Alto support directly so I can pressure them for a fix - but I might not be able to get access...

I tried the same command, and was not as lucky as you.

It appears GlobalProtect is loading better, but if I try to connect, the "world spins" for a few seconds then ends up in a disconnect right away. No errors.

<grrr>

I take it back !!!!

I cleared my previous setup entries, re-entered and now connected via Global Connect!!!!

So I'm not an OS X expert, what would be the reverse of the command we just did to enable this so when a "fix" comes out "if ever" ... we can revert back to the prior setup?

I don't know if this is my imagination, but the OS and applications appear to be running faster and more responsive.

Could everything been slowed down slightly by this constant security check?

Thank you very much, y24jds! I am on a Weekend Trip but I will try it on Monday and it sounds good to me. I will let you know the result.

me too.

Same issue and same fix (DHCP vs Static IP on the client machine that opens the VPN connection)

Glad to hear that my fix is working for some people. I'm trying to find documentation on that kext-dev-mode setting. I would assume that setting it back to 0 will go back to the normal state but I haven't found that documented yet.

Also, anybody that uses this workaround, make sure you reboot after setting that flag.

I was reading a really good article but can't find the link right now. It was basically saying that Apple announced this more stringent kext code signing in Maverick's but it wasn't going to be enforced until Yosemite. The article was talking about that the OS would no longer run kext programs unless they were signed by a valid developers license and/or apple. Sort of like how Windows will warn you if you are trying to install an "unsigned device driver". But in Windows you can often just click OK on a warning box.

I think there are some people here that are having another issue besides the code signing of the kext. The DHCP vs Static thing - I'm not sure what is going on with that. Maybe it is a version difference in the GP client software. I was using 1.2.8-5.

And with my issue the best way to know if you are having it is to do the: netstat -an | grep 4767

If you dont have any listeners come back, then the process did not start up correctly probably due to the signing issue.

If you do get processes come back with the netstat command but still unable to connect, then something else must be going on. Sorry, I can't help diagnose that. I don't really understand the low level aspects of networking and establishing secure tunnels to provide any troubleshooting (plus I'm a new convert to Mac so learning alot myself).. I'd say look through all your logs, find the Global protect logs, look for any clues and use google.

Back at home I first tried your fix - and it worked for me - thanks a lot once again!!!

As I only use the vpn connection for business purposes and disconnect it for normal use of my iMac, I disconnected the vpn connection after a successful dial-in to my company´s network. A re-connection by menu command 'connect' was not possible, I had to reboot the system to connect to the vpn via GlobalProtect once again.

The most important thing is to have my vpn connection, I lost after updating to Yosemite, back. I believe a definite fix for GlobalProtect will be released in nearer future.

y24jds, you made my day!

I have to correct my last comment: After the second reboot the changes between connect and disconnect to the GlobalProtect VPN are working well without any reboot in-between.

I can confirm switching to DHCP OR DHCP W manual address solved the issue for me and I was able to connect again with VPN

I use TunnelBlick/Open VPN to connect to my work's Exchange server on my early 2011 Macbook Pro. After upgrading to Yosemite I am no longer able to sync my mail through the VPN connection.

The VPN connects with no problems (I'm able to access my files on our server) but Outlook will not connect to the Exchange server and sync. However, when I connect through LAN cable in the office Outlook will sync with no problems.

Any suggestions?

It appears Global Protect has released a new version of the client that supports OS X 10.10

Now I got to convince my network team at work to find the time to obtain it.

They won't supply it to an end user.