07-21-2010 10:19 AM - edited 02-21-2020 04:44 PM
I'm having an issue with the Mac version of the VPN AnyConnect Client.
The Client I'm using is version 2.4.1012, and my MacOSX version is 10.6.4.
The issue is that after connecting to the VPN server, everything will work fine for 5 minutes or so, then the connection is lost for about 2 minutes, eventually reconnects, stays connected for about 5 minutes, over and over again.
When the connection is lost, this shows up in the Mac console:
7/21/10 10:16:05 AM vpnagent[548] Initiating rekey for SSL connection.
7/21/10 10:16:05 AM vpnagent[548] Initiating a reconnect for rekey with a new SSL connection.
7/21/10 10:16:05 AM vpnagent[548] Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 390 Invoked Function: getProfilePath Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
7/21/10 10:16:05 AM vpnagent[548] Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
7/21/10 10:16:05 AM vpnagent[548] Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 937 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
7/21/10 10:16:05 AM vpnagent[548] Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 244 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
7/21/10 10:16:05 AM vpnagent[548] The Secondary SSL connection to the secure gateway is being established.
7/21/10 10:16:05 AM vpnagent[548] Function: postSocketConnectProcessing File: SslTunnelTransport.cpp Line: 1360 Opened SSL socket from 192.168.1.101 to 208.254.144.81
7/21/10 10:16:05 AM vpnagent[548] Function: VerifyServerCertificate File: Certificates/MacCertStore.cpp Line: 420 Invoked Function: CMacCertificate::Verify Return Code: -31326190 (0xFE220012) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED_ASKUSER
It looks like an SSL rekey is happening after 5 minutes, but the connection then gets hosed and eventually is completely re-built. (Actually, I have a workmate with the exact same issue).
Is there any way to disable the rekey operation on the client side, or does anyone else have a hint about how I can fix this? It's VERY annoying!
07-26-2010 05:49 AM
I had the exact problem I had to upgrade the client to the new version which is 2.5.0217. This one worked and no more disconnects. But now I cannot get outside to internet. Windows PC's work fine but I cannot get the mac book to bring in a web site. Trying to figure the issue unless you seen this. Let me know.
07-26-2010 09:00 AM
Are Windows clients able to connect to the same connection profile without issue? The default rekey lifetime is 30 minutes so if you are seeing it happen every 5 minutes, you may want to double check the "svc rekey time" configuration under the respective group policy. I did run into a similar issue with another customer which wound up being related to DNS. In that case, the CN and subject names of the certificate were configured to use FQDN which was only resolveable via public DNS servers. AnyConnect, however, was configured to send all DNS requests over the SSL tunnel. The resolution requests were being sent to a DNS server that could not resolve so the rekey process hung. Once the active tunnel was torn down, the FQDN in the certification could now be resolved by the DNS server on the physical interface allowing the new connection to establish. Configuring Split DNS resolved the issue for this particular customer. You may look into your configuration to see if this applies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide