Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16403
Views
0
Helpful
8
Replies

Mac OS X 10.11.4 - The VPN client was unable to successfully verify the IP forwarding table modifications.

mabatal01
Level 1
Level 1

‎01-21-2016 09:42 PM

Just upgraded my Mac to OS X 10.11.4 Beta (15E27e). Running Cisco AnyConnect Secure Mobility Client version 4.1.08005. I am unable to connect to our corporate SAS VPN. I receive the following messages. Please help! 

12:29:09 AM    The AnyConnect Downloader is performing update checks...

    12:29:09 AM    Checking for profile updates...

    12:29:09 AM    Checking for product updates...

    12:29:09 AM    Checking for customization updates...

    12:29:09 AM    Performing any required updates...

    12:29:09 AM    The AnyConnect Downloader updates have been completed.

    12:29:09 AM    Establishing VPN session...

    12:29:09 AM    Establishing VPN - Initiating connection...

    12:29:09 AM    Establishing VPN - Examining system...

    12:29:09 AM    Establishing VPN - Activating VPN adapter...

    12:29:09 AM    Establishing VPN - Configuring system...

    12:29:11 AM    Disconnect in progress, please wait...

    12:29:11 AM    The VPN client was unable to successfully verify the IP forwarding table modifications.  A VPN connection will not be established.

    12:29:11 AM    AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

5 people had this problem
Labels:
0 Helpful
8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-21-2016 10:32 PM

If you just did an upgrade try removing the VPN client and re-installing it.

0 Helpful

Karsten Iwen
VIP
VIP

‎01-21-2016 11:55 PM

I would say this is expected behavior with beta-software.

In addition to reinstalling the client, I would try the newest AC 4.2 which is slightly newer.

0 Helpful

mabatal01
Level 1
Level 1

‎01-24-2016 12:23 PM

Thanks for the suggestions guys.

I tried removing then reinstalling the VPN client — no good. I ended up having to do a clean reinstall of OS X 10.11.3. Lesson learned, no more beta operating systems on production computers. That's what VMs are for, right? :-)

0 Helpful

Karsten Iwen
VIP
VIP
In response to mabatal01

‎01-24-2016 12:51 PM

And keep looking at the AnyConnect release notes if there is an announcement of compatibility.

0 Helpful

jafrancov
Level 1
Level 1

‎03-28-2016 08:47 PM

Just update on phase 1 of your VPN, add DH group 14 and that will fix the issue, it appears that OSX 10.11.4, requires a minimum of a 2048 bit modulus (DH Group 14) to connect to IPSec VPNs.

0 Helpful

acamachoh
Level 1
Level 1

‎01-13-2020 07:50 AM

You can try the following procedure in your MAC, with this workaround is working.

macOS Catalina 10.15.2 (19C57)

Any Connect Version 4.6.01103

 

Do I need to disable IPv6 traffic on my Mac computer?
  1. Go to Apple - > System Preferences -> Network.
  2. Select the first network connection you see listed on the left-hand side, then click the Advanced button.
  3. Go to the TCP/IP tab at the top.
  4. Beside "Configure IPv6", set it to "Link-local Only"
  5. Click Ok to apply the change.

LOGS

BEFORE

21:17:29    User credentials entered.

    21:17:40    User credentials entered.

    21:17:41    Establishing VPN session...

    21:17:42    The AnyConnect Downloader is performing update checks...

    21:17:42    Checking for profile updates...

    21:17:42    Checking for product updates...

    21:17:42    Checking for customization updates...

    21:17:42    Performing any required updates...

    21:17:42    The AnyConnect Downloader updates have been completed.

    21:17:42    Establishing VPN session...

    21:17:42    Establishing VPN - Initiating connection...

    21:17:42    Establishing VPN - Examining system...

    21:17:42    Establishing VPN - Activating VPN adapter...

    21:17:42    Establishing VPN - Configuring system...

    21:17:44    Disconnect in progress, please wait...

    21:17:45    Ready to connect.

    21:17:45    Connection attempt has failed.

    21:17:45    Ready to connect.

    22:19:09    Ready to connect.

13/01/20

AFTER

    9:31:19    Ready to connect.

    9:41:14    Contacting ANYCONNECT

    9:41:22    User credentials entered.

    9:41:22    Establishing VPN session...

    9:41:23    The AnyConnect Downloader is performing update checks...

    9:41:23    Checking for profile updates...

    9:41:23    Checking for product updates...

    9:41:23    Checking for customization updates...

    9:41:23    Performing any required updates...

    9:41:23    The AnyConnect Downloader updates have been completed.

    9:41:23    Establishing VPN session...

    9:41:23    Establishing VPN - Initiating connection...

    9:41:23    Establishing VPN - Examining system...

    9:41:23    Establishing VPN - Activating VPN adapter...

    9:41:23    Establishing VPN - Configuring system...

    9:41:25    Establishing VPN...

    9:41:25    Connected to ANYCONNECT

    9:44:22    Reconnecting to ANYCONNECT

    9:44:23    Establishing VPN - Examining system...

    9:44:26    Establishing VPN - Activating VPN adapter...

    9:44:27    Establishing VPN - Configuring system...

    9:44:29    Establishing VPN...

    9:44:29    Connected to ANYCONNECT.

0 Helpful

dragon_788
Level 1
Level 1
In response to acamachoh

‎04-09-2020 12:18 PM

After running into this error and finding that the change to IPv6 for Link-Local didn't work I found another bug that actually helped me find the root cause of the issue. Recent changes to the firewall routing tables apparently included an RFC1918 route for 192.168.1.0/24 and since my home network was on this range the VPN wouldn't allow me to connect because it couldn't figure out how to make a route that didn't overlap.

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq32554

 

My temporary solution was to create a new subnet for a "guest" network that used a different IP range that didn't overlap with one that the VPN concentrator cared about and this allowed me to successfully connect. I also contacted the network/firewall team about why they'd EVER use one of the most common consumer router IP subnets as a route inside the enterprise.

0 Helpful

lasereyes
Cisco Employee
Cisco Employee

‎04-23-2020 08:49 AM

I've been getting this error intermittently as well on Mac OS X 10.15.4 using AnyConnect 4.8.02042.  In my setup, I have a dock that provides Internet connectivity over USB-C and I'm also connected to a wireless network.  Rebooting my computer usually fixes the issue, but I've also found that disabling WiFi makes the issues go away without requiring a reboot.

0 Helpful
Customers Also Viewed These Support Documents