03-06-2013 01:02 AM
I have recently installed Little Snitch on my Mac, to watch for "unasked" connections, and I have found out that the process vpnagentd tries, every few seconds, to connect to sites 202.x.y.z, which in some cases I have traced to Japan. Denying access to those sites seems to have no effect on AnyConnect. Is this behaviour canonical?
Solved! Go to Solution.
03-13-2013 02:04 PM
Looks like CSCue43390 vpnagentd wants to connect to 202.x.x.x - false positive alarming msg
It's harmless in fact.
Pasting the CCO release-notes below
Symptom: Application debugging and network monitoring tools including Little Snitch on Mac OS X (and other tools on other supported OS's that support AnyConnect) report that AnyConnect is making suspicious connections with Random hosts on the internet beginning with 202.x.x.x (IPv4) and 2001: (IPv6). This is not actually happening in spite of the alarming message reported by these monitoring applications. This is not a result of malware in the vpn agent proceess on the system. Additionally, there are no packets/data leaving from or being received by AnyConnect on the system via UDP port 80 on these random IPv4 and IPv6 addresses. This message is triggered by an interface detection method in AnyConnect which determines the public interface used for outbound traffic and was added as part of AnyConnect's enhanced IPv6 support. No data is ever sent to (or consumed from) the IPs reported by this message, there is no data leakage, and nothing exploitable associated with behavior. However, since it is generating unnecessarily alarming false-positive messages as part of these applications, we are looking to modify how this detection process works in a future release. Conditions: Little Snitch or other network monitoring and/or application debugging tool reports false-positive of data leaving system destined for address 202.x.x.x destined for UDP 80. '' * vpnagentd wants to connect to 202.x.x.x on UDP port 80 (http) ... Established by /opt/cisco/anyconnect/bin/vpnagentd '' Workaround: Not applicable. No traffic is ever leaving the system for this random IP, this is a false positive warning. However, since the warning is alarming by an end-user proactively monitoring his/her system for security vulnerabilities, we are currently looking in to modifications to this process so that it does not result in unnecessarily alarming false-positive messages by these applications. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
03-13-2013 12:38 PM
Which VPN version installed? I had these outgoing connections to 202.x.y.z (to China...) with anyconnect-macosx-i386-3.1.02026-k9
Checksum installed file
MD5 (anyconnect-macosx-i386-3.1.02026-k9.dmg) = 918ff1ba55c273a9bd2ede0a424ba7ff
Downgraded to vs 3.0.10055, outgoing connections are now in the local network and to a local trusted vpn server.
03-13-2013 02:04 PM
Looks like CSCue43390 vpnagentd wants to connect to 202.x.x.x - false positive alarming msg
It's harmless in fact.
Pasting the CCO release-notes below
Symptom: Application debugging and network monitoring tools including Little Snitch on Mac OS X (and other tools on other supported OS's that support AnyConnect) report that AnyConnect is making suspicious connections with Random hosts on the internet beginning with 202.x.x.x (IPv4) and 2001: (IPv6). This is not actually happening in spite of the alarming message reported by these monitoring applications. This is not a result of malware in the vpn agent proceess on the system. Additionally, there are no packets/data leaving from or being received by AnyConnect on the system via UDP port 80 on these random IPv4 and IPv6 addresses. This message is triggered by an interface detection method in AnyConnect which determines the public interface used for outbound traffic and was added as part of AnyConnect's enhanced IPv6 support. No data is ever sent to (or consumed from) the IPs reported by this message, there is no data leakage, and nothing exploitable associated with behavior. However, since it is generating unnecessarily alarming false-positive messages as part of these applications, we are looking to modify how this detection process works in a future release. Conditions: Little Snitch or other network monitoring and/or application debugging tool reports false-positive of data leaving system destined for address 202.x.x.x destined for UDP 80. '' * vpnagentd wants to connect to 202.x.x.x on UDP port 80 (http) ... Established by /opt/cisco/anyconnect/bin/vpnagentd '' Workaround: Not applicable. No traffic is ever leaving the system for this random IP, this is a false positive warning. However, since the warning is alarming by an end-user proactively monitoring his/her system for security vulnerabilities, we are currently looking in to modifications to this process so that it does not result in unnecessarily alarming false-positive messages by these applications. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
03-14-2013 12:11 AM
Thanks for the information!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide