cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

AnyConnect Mac 4.10 and Big Sur Disconnects

Good morning,

Since a recent Big Sur security update across a number of Big Sur versions (11.0 through to 11.6) we've noticed that even with the 4.10 versions of AnyConnect, we've seen some disconnections from the VPN connection, or the client crashes out when attempting to connect.

 

We use Sophos for our Anti-virus solution and manage our Macs through JAMF. 

 

We have a configuration profile set up in JAMF for AnyConnect to ensure that the system and kernel extensions are enabled, and that the socket filter is correctly set up with all the permissions required as per the Cisco Big Sur advisory article (which I should add should really have some example config screens for JAMF as it's the leading Mac management solution.)

 

We've also ensured all the necessary system extensions for Sophos anti-virus are set up as well and that those extensions are enabled by the configuration profile for that.

 

Running systemextensionsctl list shows the following (note how all enabled and active):

3 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
* * DE8Y96K9QP com.cisco.anyconnect.macos.acsockext (4.10.02086/4.10.02086) Cisco AnyConnect Socket Filter Extension [activated enabled]
* * 2H5GFH3774 com.sophos.endpoint.networkextension (10.1.2/222517) networkextension [activated enabled]
--- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state]
* * 2H5GFH3774 com.sophos.endpoint.scanextension (10.1.3/222654) com.sophos.endpoint.scanextension [activated enabled]

 

Sophos and AnyConnect both have a network extension here and both are active.

So far, what we've noted is that one of the following is a short term fix:

  • Reverting AnyConnect back to use the Kernel extension (only for Intel Macs, Kernel extensions not supported on M1 macs)
  • Removing Sophos Anti-Virus and rebooting also works, but again we don't want to leave a Mac vulnerable

Ideally though this needs to be further investigated at Cisco's end to see what the extension actually does and if we can actually ensure that the config specfied in the support article is correct, or it needs updating based on recent OS updates.  We've also got a ticket logged with Sophos so they're already investigating at their end too.

 

Does anyone else have a similar config and how did they resolve it?

Who Me Too'd this topic