Solved: vpnagentd and repeated connections to 202.x.y.z sites

xxllobett · ‎03-06-2013

I have recently installed Little Snitch on my Mac, to watch for "unasked" connections, and I have found out that the process vpnagentd tries, every few seconds, to connect to sites 202.x.y.z, which in some cases I have traced to Japan. Denying access to those sites seems to have no effect on AnyConnect. Is this behaviour canonical?

olpeleri · ‎03-13-2013

Looks like CSCue43390 vpnagentd wants to connect to 202.x.x.x - false positive alarming msg

It's harmless in fact.

Pasting the CCO release-notes below

Symptom:

Application debugging and network monitoring tools including Little Snitch on Mac OS X (and other tools on other supported OS's that support
AnyConnect) report that AnyConnect is making suspicious connections with Random hosts on the internet beginning with 202.x.x.x (IPv4) and 2001:
(IPv6).

This is not actually happening in spite of the alarming message reported by these monitoring applications.  This is not a result of malware in
the vpn agent proceess on the system.  Additionally, there are no packets/data leaving from or being received by AnyConnect on the system via UDP
port 80 on these random IPv4 and IPv6 addresses.

This message is triggered by an interface detection method in AnyConnect which determines the public interface used for outbound traffic and was
added as part of AnyConnect's enhanced IPv6 support.  

No data is ever sent to (or consumed from) the IPs reported by this message, there is no data leakage, and nothing exploitable associated with
behavior. However, since it is generating unnecessarily alarming false-positive messages as part of these applications, we are looking to modify
how this detection process works in a future release.

Conditions:

Little Snitch or other network monitoring and/or application debugging tool reports false-positive of data leaving system destined for address
202.x.x.x destined for UDP 80.

''
* vpnagentd
wants to connect to 202.x.x.x on UDP port 80 (http)

...

Established by /opt/cisco/anyconnect/bin/vpnagentd
''

Workaround:

Not applicable. No traffic is ever leaving the system for this random IP, this is a false positive warning.  However, since the warning is
alarming by an end-user proactively monitoring his/her system for security vulnerabilities, we are currently looking in to modifications to this
process so that it does not result in unnecessarily alarming false-positive messages by these applications.

PSIRT Evaluation:

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

View solution in original post

rboele2013 · ‎03-13-2013

Which VPN version installed? I had these outgoing connections to 202.x.y.z (to China...) with anyconnect-macosx-i386-3.1.02026-k9

Checksum installed file

MD5 (anyconnect-macosx-i386-3.1.02026-k9.dmg) = 918ff1ba55c273a9bd2ede0a424ba7ff

Downgraded to vs 3.0.10055, outgoing connections are now in the local network and to a local trusted vpn server.

olpeleri · ‎03-13-2013

Looks like CSCue43390 vpnagentd wants to connect to 202.x.x.x - false positive alarming msg

It's harmless in fact.

Pasting the CCO release-notes below

Symptom:

Application debugging and network monitoring tools including Little Snitch on Mac OS X (and other tools on other supported OS's that support
AnyConnect) report that AnyConnect is making suspicious connections with Random hosts on the internet beginning with 202.x.x.x (IPv4) and 2001:
(IPv6).

This is not actually happening in spite of the alarming message reported by these monitoring applications.  This is not a result of malware in
the vpn agent proceess on the system.  Additionally, there are no packets/data leaving from or being received by AnyConnect on the system via UDP
port 80 on these random IPv4 and IPv6 addresses.

This message is triggered by an interface detection method in AnyConnect which determines the public interface used for outbound traffic and was
added as part of AnyConnect's enhanced IPv6 support.  

No data is ever sent to (or consumed from) the IPs reported by this message, there is no data leakage, and nothing exploitable associated with
behavior. However, since it is generating unnecessarily alarming false-positive messages as part of these applications, we are looking to modify
how this detection process works in a future release.

Conditions:

Little Snitch or other network monitoring and/or application debugging tool reports false-positive of data leaving system destined for address
202.x.x.x destined for UDP 80.

''
* vpnagentd
wants to connect to 202.x.x.x on UDP port 80 (http)

...

Established by /opt/cisco/anyconnect/bin/vpnagentd
''

Workaround:

Not applicable. No traffic is ever leaving the system for this random IP, this is a false positive warning.  However, since the warning is
alarming by an end-user proactively monitoring his/her system for security vulnerabilities, we are currently looking in to modifications to this
process so that it does not result in unnecessarily alarming false-positive messages by these applications.

PSIRT Evaluation:

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

xxllobett · ‎03-14-2013

Thanks for the information!