Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
0
Helpful
7
Replies

MAC OS-X 10.3 VPN issue: Firewall Mismatch

andrew.ohalloran
Level 1
Level 1

‎03-06-2005 05:20 PM - edited ‎02-21-2020 01:38 PM

I have an issue with a number of users that connect to our network via Macs all running OS X 10.3 and Cisco's VPN connection client. The issue is that after authentication they get bump with the error "435: firewall mismatch".

I have no idea what this means and unfortunately we have an external company looking after our routers etc, and they have assured that it is fine there end for PC's, and that you don't need to change the configuration for Macs to work.

I have tried to find what this error relates too, but have had no luck searching the web.

Any one got any ideas how I can fix this?

Thanks in advance.

Labels:
0 Helpful
7 Replies 7

gfullage
Cisco Employee
Cisco Employee

‎03-06-2005 07:04 PM

The VPN concentrator has a configuration option where it can force the connecting VPN client to have a certain firewall installed and enabled on the connecting PC (see http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/usermgt.htm#wp1768076 for details). This however, only works for Windows VPN client, not for Mac.

The people who run this concentrator will have to change the configuration on the screen in the URL I provided above to "Firewall Optional" rather than "Firewall Required". Send them the URL so they know what to change.

0 Helpful

andrew.ohalloran
Level 1
Level 1
In response to gfullage

‎03-06-2005 07:17 PM

gfullage, Thanks you very much,

Andrew.

0 Helpful

glenncwark
Level 1
Level 1

‎07-11-2005 07:28 PM

I recently found the following link from June 29, 2005

http://www.macwindows.com/newsarch.html

TIP: fix for Cisco VPN "firewall mismatch" errors. June 29, 2005 -- An anonymous reader sent in a type about an error he fixed with the Cisco VPN client and Mac OS X 10.3 Panther:

I couldn’t use Cisco because I kept getting ‘firewall policy mismatch’ errors preventing connection with Cisco VPN Client 4.0.2 to a corporate network.

It turned out that this error is a fairly common error, according to a Cisco engineer. This occures with the Mac client and the VPN concentrator when the concentrator group is set to "Require Firewall" on the connecting host.

This function (“require firewall”) is available on the Windows VPN client software, but not the Mac client! The VPN concentrator setting (if you’re a network Admin, configuring your VPN concentrator) is located here:

Configuration/user management/groups

Client FW tab

Firewall setting

Ways Admins can fix this:

1. DO NOT require the VPN group to "Require Firewall"

2. Create a new group for your Mac users (this is the most popular answer)

I asked the Cisco engineer if he would recommend adding the function to the Mac client software; he (himself a Mac user) replied sympathetically that it was WAY down on their list of priorities; all we can do is hope for some future release.

/Hopefully Cisco updates this issue soon

0 Helpful

glenncwark
Level 1
Level 1
In response to glenncwark

‎07-11-2005 08:23 PM

Does anyone know if there is an end user workaround for this?

At least until Cisco is able to update the Mac client.

I have a software and a harware firewall up, but it sounds like the Mac OS X client simply doesn't check for it. If anyone can confirm this and/or help out it would be greatly appreciated.

Thanks,

Glenn

0 Helpful

andrew.ohalloran
Level 1
Level 1
In response to glenncwark

‎07-11-2005 11:06 PM

Glenn,

As far as I am aware there cannot be a solution to this at the client end. The option has to be changed at the concentrators end.

I had enough pull at my company to get them to set the firewall policy to optional which means that if you have a Windows pc it will allow the fire to be setup but if you don't, say you have a Mac, then that’s ok too.

Another option the company was looking at was setting up a separate group whereby this optional firewall option was ticked for Mac users. Which would have mean more admin so they choose not to do this. The last option they looked at was to purchase Mac users VPC running windows, which I was kind of against, as I didn't want the company software on my personal computer.

So after a small amount of persuasion on my part they implemented the optional firewall policy and we haven't looked back since.

The reason that you can't do anything on the client is that the concentrator is looking for a windows firewall which wont be there on a Mac. I would suggest talking to your system admins and getting them to change the firewall policy to optional, as it is the easiest and fastest solution.

Regards,

Andrew.

0 Helpful

andrew.ohalloran
Level 1
Level 1
In response to andrew.ohalloran

‎07-11-2005 11:07 PM

Oh yea on the screen where it gives you the option about the firewall it tells you it is for windows clients only. (And also in the documentation)

0 Helpful

glenncwark
Level 1
Level 1
In response to andrew.ohalloran

‎07-19-2005 03:11 PM

Hi Andrew,

Thanks for the info. Our admin won't budge.

I'm completely on my own, so the only solutions I can see are:

1) wait for Cisco to update the Mac client such that it will check for the OS X firewall or a hardware firewall

...not sure how I can find out when the fix is be released as I don't have a high enough access level to this site

2) fool the Mac client into thinking that one of the approved Windows firewalls is running

Any other ideas?

Thanks,

Glenn

0 Helpful
Customers Also Viewed These Support Documents