|
|
 |
Apple's Mac OS X 10.6 added "native support" for Cisco IPsec VPN connections. However, a lot of sites use third-party VPN clients for Mac. This page contains problem reports, workarounds, and tips for using VPN clients and Snow Leopard.
Fixes for Cisco VPN Mac client error 51; Win 7 & Snow Leopard | Top of Page |
Thursday, August 27, 2009
Readers have sent in solutions for a problem with the Cisco VPN client for Mac, where the client reports Error 51 and can't connect. Several readers reported that upgarding the client to version 4.9.01 (0180) fixes the problem. Another reader sent a link to a fix that recommends typing this command in Terminal:
sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart
We also had a comment that the Cisco Mac client won't work in Mac OS X 10.6 Snow Leopard.
Rich Rose had some suggestions, and has a problem with Windows 7:
A re-install will sometimes resolve it at least temporarily. Otherwise restarting the Cisco kext (see this blog) will make it work without restarting, but you need admin access to do so. So far I'm running 4.9.01 (0180) with 10.5.8 without issue.
On a related note, I've discovered that Cisco doesn't support Windows 7 64 bit with the VPN client for Windows -- it simply won't install. Can you or your readers suggest an alternative client for Cisco VPN concentrators?
If you can suggest a Cisco VPN client for Windows 7
Another reader suggested upgrading the client, and says that the Cisco client won't work in Snow Leopard:
I haven't seen this error at my site nor any of the other sites I work with, however I will point out that the 4.9.01 (0100) version of CiscoVPN is old -- the current one is the same version number, but the (0180) suffix. Came out in March or April of this year, IIRC.
Also note that the Cisco VPN Client will not be supported/functional under Mac OS X Snow Leopard (used to kernel panic the machine when booting up if the .kext's were installed, haven't tried under later seeds). I asked Cisco and was told that the only Mac VPN client that would be developed going forward was the AnyConnect VPN.
The good news is that Apple has integrated IPSec VPN into Snow Leopard (just like on the iPhone) and it work well, even where it's not supposed to (i.e. works on properly-configured 3005 concentrators and PIXes, not just ASA's, like AnyConnect is restricted to...)
Jerry Zeisler also found the Cisco update to work:
I too am having the same problem with the Cisco VPN. Just purchased Mac Air and installed the VPN downloaded from my company. Install was fine except that it didn't ask for passphrase. Then when it starts I get the error 51. I have since found that moving to version 4.9.01.0180 resolved my problem.
Peter Zimmermann sees the problem with Mac OS X 10.5.8:
Since upgrading to 10.5.8 I receive error 51 on my Cisco Client.
TIP: update, reinstall latest Cisco VPN Client for Snow Leopard
Friday, September 11, 2009
Readers have reported that they can fix the error 51 problem with the Cisco VPN client by upgrading and/or reinstalling. One reader said:
I was able to use both the Cisco VPN Client 4.9.01.0180 as others have reported, but only after re-installing the client software.
Steve McCabe simply reinstalled:
I got the error with Snow Leopard. I reinstalled the same Cisco client that worked before from the dmg file and it works. No other changes needed.
Robert Hammen reinstalled the current client.
A reinstall of the 4.9.01.0180 CiscoVPN Client is required following a Snow Leopard upgrade, but it does function, if you still need to use it (I've been using the built-in IPSec VPN client with few issues)...
Gregory Schmeling updated the client:
Got error 51 after upgrade to Snow Leopard. Worked fine before. Went to version 4.9.01 (0100) and now works fine.
Neopod sent a link to a non-Cisco site for the client:
The latest version of VPNClient (r180) works 100 percent with Snow Leopard at this link.
Cisco workaround doesn't work in 10.5 or 10.6 for reader
Friday, September 18, 2009
Jeremy Behrens has looked at our Leopard VPN Reports page and Snow Leopard VPN Reports page, and still has problems with the Cisco VPN client; installing/reinstalling the latest version worked for other readers, but not for Behrens:
I cannot get Cisco VPN Version 4.9.01.0180 to work correctly under either 10.5 or 10.6. Cisco works in my VMware Fusion Windows XP install but not in OS X directly. I don't even get an error. When I click the connect button the program connect icon changes color for a second then nothing. I have tried reinstalling and restarting using the terminal command and nothing.
Reader sees Error 51 with Cisco VPN and OS X 10.6.3
Ramon Espinosa is getting error 51 when he tries to connect to a Cisco VPN. This was a problem readers reported with Mac OS X 10.6.0, but Espinosa has the latest version:
I'm using Mac OS X 10.6.3 and still get the error 51. Restarting the services doesn't work neither reinstalling the software. Built-in VPN Client used to work, now it starts, asks for login/password "thinks" for some seconds and disconnects the VPN, never get to actually connect.
If you've seen this problem
Another report of Cisco VPN error 51 in Mac OS X
Wednesday, August 18, 2010
David Gilding is another reader getting error 51 when he tries to connect to a Cisco VPN from Snow Leopard:
I appear to have the same problem as Ramon Espinosa (Tues Jun 1, 2010). Until last week, the Mac VPN client worked beautifully. Now it asks for password (via token), 'connects' for a second or two and then disconnects. Very annoying - colleagues with PCs were told to reinstall software from discs, which seems to have solved the problem for them.
If you have any ideas about this issue
We've previously reported some suggestions, but they don't seem to work for everyone.
Cisco VPN Client split DNS problem an issue with Snow Leopard | Top of Page |
Scott Roach reports that a problem that we reported with Leopard and the Cisco VPN Mac client Split DNS feature also occurs with Snow Leopard. He did some testing and reported his findings:
I can confirm that trying to use the Split DNS feature on the Cisco VPN Client (4.9.01.0180) will cause networking issues. The Split DNS feature is implemented on the VPN Device. I have verified that this is part of the problem by running some DNS queries and this is what I found.
My resolv.conf file is changed to the following: (Obviously these values are made up)
> domain workdomain.site.com
> search workdomain.site.com\
> nameserver 255.255.255.255
> nameserver 255.255.255.255
Now if I do a DNS query for workdomain.site.com (dig workdomain.site.com) I get the following error from the VPN Client:
> Split-DNS does not support TCP based domain name queries. Use UDP instead.
However if I run the same DNS query when I am disconnected it comes up just fine.
If you seen this issue
Snow Leopard and CiscoVPN client issue with UDP
Friday, September 18, 2009
Robert Williams reported a new problem with Snow Leopard and the Cisco VPN client for Mac. (Other problems have been solved by installing/reinstalling the latest version.) Williams reports:
Just wanted to let you know about a Snow Leopard issue with the built-in Cisco VPN client. Anyone trying to connect using IPSec over UDP will not be able to do so with the Snow Leopard client. For some reason, Apple decided not to implement that feature, so those of us in that situation must continue to use the standalone Cisco VPN Client. I have submitted this to Apple as feedback, and hopefully enough people will do the same to get Apple's attention. It's pretty absurd that there's not at least an advanced configuration option for selecting something other than whatever Apple deems the "base configuration" for Cisco IPSec VPN connections.
If you've seen this issue
Snow Leopard VPN problem with IPSec over UDP
Cal responded to an older report about Snow Leopard not being able to connect to a Cisco VPN using IPSec over UDP. Cal said:
I have also seen this and submitted a bug. Since you posted this, any other work arounds?
We haven't, but if you have
TIP: running the Cisco VPN client in 64-bit Windows
Friday, September 18, 2009
Jeremy Behrens sent us this tip, which can apply to running Windows on a Mac:
You mention that the VPN client will not work in Windows 7. This is true for any 64 bit windows OS including the 64 bit Vista. Fortunately there is an alternative for 64-bit Windows folks at this site.
Problem with Cisco VPN client not resolving IP addresses
Monday, December 14, 2009
Nathaniel Bentzinger is having a problem with the Cisco VPN client not resolving IP addresses. We've previously had reports of this issue with Leopard. Bentzinger is seeing this with Snow Leopard:
We have this issue here with Snow Leopard 10.6 through 10.6.2. Our Cisco 2811 router provides DHCP Address, gateway, DNS IP and search domain (domain.local) and they are properly loaded into the Apple Cisco VPN client but the Mac sends all DNS lookups to the en0 en1 interface's DNS servers. Only adding lines to your /etc/hosts file will resolve the internal servers which defeats the purpose of DNS entirely. We are still using Cisco's VPN client to connect to the office.
If you've seen this problem
More on Cisco VPN Client not resolving IP address
Randy Campion believes he is seeing a previously reported problem with the Cisco VPN Client and Snow Leopard 10.6.3:
The issue mentioned in your article at "Problem with Cisco VPN client not resolving IP addresses" sounds like the exact same problem that I am having currently. We initially had problems with our VPN being set up from our ISP where the domain servers weren't pointed to our server in the office, so it wouldn't resolve and WINS names for any local computers, but that problem has been fixed. Now that I am using OS X 10.6.3 instead of a Windows-based machine, the same type of problem seems to have cropped up. I am unable to resolve any WINS names to connect via RDP or VNC and I also cannot use the straight IP to connect to those machines as well (given that my machine at the office has a DHCP reservation).
If you've seen this or can offer advice
Reader reports NetExtender VPN problem with Snow Leopard | Top of Page |
Wednesday, September 2, 2009
Jon Busby reports that the NetExtender VPN client doesn't work in Snow Leopard:
For me the problem is NetExtender which worked a treat in Leopard for remote file access via Finder. Doesn't work at all in Snow Leopard.
If you've seen this problem
TIP: fixes for Snow Leopard NetExtender VPN conflict
Wednesday, September 9, 2009
Several readers reported successful fixes for the problem of the SonicWall NetExtender virtual private network (VPN) Mac client not working with Snow Leopard. One fix requires typing some commands in Terminal to edit a file at /usr/sbin/pppd. Another was a simpler fix.
First, Jon Busby, who first reported the problem, was able to fix the problem without editing anything, using a third-party utility:
I did a clean delete of NetExtender via AppZapper then reinstalled the download from work. Seems to have done the trick. The version I am on, that works is, 3.5.620.
Rowly Walker described an error message that appears:
I just installed Show Leopard, and I also have the same issue with Net Extender. The following message appears:
FATAL: You don't have permission to read/execute '/etc/ppp/peers'
Loading saved profiles...
Loaded profile: xxx.xxx.com
Alexander Glew reported another error:
It does not work under 10.6, and get a Java error. I have had no luck from the command line either, and get a route not found error.
Bill Beasley sent a summary of a command-line fix:
Sonicwall has released an updated version of their NetExtender client. However, Apple changed the permissions on /usr/sbin/pppd. Root needs to have the setuid bit set on pppd. chmod 4555 /usr/sbin/pppd fixes this. Permission checker will complain about this afterwards, but will leave the setuid bit set. This fix works for me.
Josh Carlson provide some more detail to a similar fix:
The following is the fix to get Netextender running under Snow Leopard:
- Download and install the latest version of Netextender(3.5.634) from the SonicWall demo site:
- It will automatically start and throw up an error. Dismiss this and quit the app.
- - Open a terminal window and issue the following commands to fix the permissions on the /usr/sbin/pppd directory as Super User.
sudo ls -l /usr/sbin/pppd (you'll then be asked for the admin password)
sudo chmod u+s /usr/sbin/pppd
sudo ls -l /usr/sbin/pppd (this will confirm the permissions change)
exit
At this point you should be able to fire up Netextender as normal with no problems.
Scott Waschitz reported SonicWall's description, which appears to differ slightly from Carlson's:
This is taken verbatim from a MySonicwall.com support forum (paid forum):
NetExtender 3.5.x for Mac (and presumably earlier versions) does not work on Snow Leopard out of the box. Here's the fix.
DON'T do this unless you understand what you're doing.
Many binaries in Snow Leopard are no longer setuid root, including pppd. This causes NetExtender to fail to connect since it can't run pppd.
First, reinstall NetExtender after upgrading to Snow Leopard. (This is necessary because somethin'-or-'nother in the profile setup doesn't carry over.)
Next, if you haven't enabled the root account, run Directory Utility to enable it. Directory Utility has moved to /System/Library/CoreServices/Directory Utility.app. Click the lock icon to make changes, then on the Edit menu, choose the option to enable the root user. Choose a password. Lock, then close Directory Utility.
Now, open a terminal. Set the setuid bit on pppd:
su
ls -l /usr/sbin/pppd
chmod u+s /usr/sbin/pppd
ls -l /usr/sbin/pppd
exit
If you've tried these suggestions
Success with NetExtender/Snow Leopard workarounds
Friday, September 18, 2009
Several readers report success for each of the two workarounds reported for problems with SonicWall's NetExtender VPN client in Snow Leopard. Vincent Philion verified the use of the AppZapper utility:
Hi! I did the "zapping" and reinstall and everything worked.
Matthew Pendlebury used the command-line fix in Terminal:
Hi, just wanted to say thanks for getting me up and running again with NetExtender. I tried chmod 4555 /usr/sbin/pppd and it works fine now.
Sundar Siva had the same experience:
Regarding Snow Leopard NetExtender VPN: chmod 4555 /usr/sbin/pppd worked like a charm for NetExtender 3.5.629.
Another reader verifies fix NetExtender VPN client
Monday, September 21, 2009
Navin Jain verified one of the fixes for the Snow Leopard problems with SonicWall's NetExtender VPN client:
I upgraded to Snow Leopard a couple of days ago, and I thought my system was fine, but then I encountered the same problems with NetExtender that you have been documenting. This morning I changed the permissions on /usr/sbin/pppd, and NetExtender is working fine!
Reader verifies fix for Snow Leopard NetExtender VPN conflict
Monday, November 30, 2009
Douglas verified a fix for getting the SonicWall NetExtender Mac virtual private network client to work in Snow Leopard:
The set bit chmod worked. I'm on Snow Leopard. I'm also using the latest download of the client available from the SonicWall web site.
TIP: GUI version of Snow Leopard/Net Extender VPN fix
Don shared an alternative to a previously reported workaround for Snow Leopard problems with SonicWall's NetExtender virtual private network client. The original fix uses Unix commands in Terminal. Don said his workaround accomplishes the same but without the command line:
I also couldn't connect using SonicWall NetExtender v3.5.632 after upgrading my MacBook Pro to Snow Leopard. Since I'm not comfortable with Terminal, and our IT guys were Gone For The Day, I tried Josh Carlson_s tip and Downloaded and installed the latest version of NetExtender from the SonicWALL website using these simple steps:
- Open this link: https://sslvpn.demo.sonicwall.com/cgi-bin/welcome
- Follow the instructions to demo NetExtender
- Click on the NetExtender button (which opens this link: https://sslvpn.demo.sonicwall.com/cgi-bin/portal#)
- Follow the instructions and permanently APPROVE the SonicWALL permissions dialogs that pop up
This installed the latest Snow Leopard friendly version of NetExtender (version 4.0.658) which connected to our SSL-VPN NetExtender without having to do anything in Terminal... Much easier!
My suggestion would be to simply this further to three simple steps:
Go directly to this link: https://sslvpn.demo.sonicwall.com/cgi-bin/portal#
Click on the NetExtender button (which opens this link: https://sslvpn.demo.sonicwall.com/cgi-bin/portal#)
Follow the instructions and permanently APPROVE the SonicWALL permissions dialogs that pop up.
If you've tried this approach
Reader verifies fix for Snow Leopard/Net Extender VPN fix
Casey Lynn had success with the tip "TIP: GUI version of Snow Leopard/Net Extender VPN fix," which is a workaround for problems with SonicWall's NetExtender virtual private network client and Snow Leopard:
This worked! And we used this fix on several machines all running Snow Leopard. Worked like a charm on all of them.
Reader says 10.6.3 broke Netextender VPN, but tip fixed it
Matt Fischer reported that updating to Mac OS X 10.6.3 caused the previously reported problem with SonicWall's NetExtender virtual private network client. He also found that a fix we reported last week solves the problem:
Don's workaround worked great! Thank you so much. I had done the chmod permission change before and NetExtender worked fine. Then I upgraded to 10.6.3 last night. My wife woke up and found that NetExtender no longer worked. I did a net search for issues with NetExtender and 10.6.3 and your site came up and I applied Don's fix and it worked.
I have a question though. How do I go back to changing the chmod permission back to the original settings?
If you can answer Fischer's question, or have tried this fix,
TIP: Advice for secure Cisco settings in Snow Leopard
Wednesday, April 28, 2010
Brian Povlsen (who runs the useful Chicago Mac/PC Support blog on cross-platform issues) sent in some advice and useful information about accessing Cisco virtual private network systems from Snow Leopard:
Your Snow Leopard VPN page has this comment:
Also note that the Cisco VPN Client will not be supported/functional under Mac OS X Snow Leopard (used to kernel panic the machine when booting up if the .kext's were installed, haven't tried under later seeds). I asked Cisco and was told that the only Mac VPN client that would be developed going forward was the AnyConnect VPN.
A direct link to the Cisco documentation that confirms this. It also has some security concerns that an administrator might want to carefully review such as: RetainVpnOnLogoff
true-Keeps the VPN session up when the user logs off a Windows OS. Caution: If split tunneling is enabled on the group policy and Remote Desktop is enabled on the client PC, users who are not authenticated by the secure gateway and who use RDP to log in to the PC have access to the VPN.
false-(Default) Terminates the VPN session when the user logs off a Windows OS.
Personally I will choose false. Keeping a VPN session up is too risky for PCI compliance.
If you have some insight into this issue
Juniper SSL VPN problem with Mac clients
Terence Tellis reports a problem with the Mac Juniper SSL Network client:
I have been facing an issue with the Juniper SSL Network client (Ver 6.2.0) on one of our Mac systems. Initially when I had installed the Juniper network connect client on the system, everything was working fine and there were no issues absolutely. All of a sudden one day it started throwing up an error and just refused to connect after that. The error message is "Your Session Terminated Unexpectedly. A software error caused the tunneling service to terminate."
I have tried uninstalling the Network Connect client and manually reinstalling it but even that didn't work. I even ran the below mentioned commands after reinstalling the juniper client but to no avail.
sudo chmod -R 755 /usr/local/juniper/nc/6.2.0
sudo mkdir /Applications/Network Connect.app/Contents/Frameworks
sudo chmod 4711 /usr/local/juniper/nc/6.2.0/ncncproxyd
I would really appreciate if someone could assist me in resolving this issue.
If you've seen this issue
TIP: Reader says update Juniper SSL VPN Mac client to avoid problems
Peter Bruderer responded to the report Juniper SSL VPN problem with Mac clients with a suggestion to update the client:
Version 6.2.0 from Juniper SSL VPN is old old old. Current version is 6.5R4. Everything works there as expected. Upgrade Juniper SSL VPN.
If you've tried this
Reader says Juniper VPN update doesn't fix Snow Leopard problem
Wednesday, August 4, 2010
Adriana Blandford says that the lastest version of the Juniper SSL VPN Mac client doesn't work, as previously reported.
I have had exactly the same problem that Terence reports. We are now on the current version 6.5R4, and I am still having tunneling issues. When connected to the VPN, cannot access the Internet or network at all. Disconnecting allows me to access the Internet, AND the network.
If you've seen this problem
Current news on the MacWindows home page
 |
Snow Leopard Server for Dummies
By John Rizzo
A 432-page book that simplifies the installation, configuration, and management of Apple's Mac OS X 10.6 Server software. Support Mac and Windows clients for file sharing, email, and directory services; Incorporate a Mac subnet into a Windows Active Directory domain, manage Mac and Windows clients, and configure security options, and more. Click here for more.
|
Mac OS X 10.6.4 update broke Cisco VPN, reader reports
Darlene Burke's Cisco VPN Client no longer worked after upgrading to Mac OS X 10.6.4:
I updated the Mac OS to 10.6.4 and am no longer able to connect using Cisco VPN 4.9.01. I tried reinstalling but when I try to connect it gives me a username and password field but doesn't let me actually type anything into either field. I downloaded a fresh .dmg but no luck.
Not sure if this is the same issue you had noted in your article "Reader sees Error 51 with Cisco VPN and OS X 10.6.3."
I was pulling my hair out trying to resolve it! I went ahead and worked to configure the built-in Snow Leopard client and it works beautifully so I'll likely just go ahead and remove the Cisco VPN client altogether.
If you've seen this occur with the Mac OS X 10.6.4 update
Some see Error 51 with Cisco VPN, 10.6.4; others don't
Tim Haley responded to the reader report that Mac OS X 10.6.4 update broke Cisco VPN:
Yes, I see the Error 51 failure of Cisco VPN every time I attempt to launch it since updating to 10.6.4. Re-installing the client did not seem to help.
However, it works just fine for Bob Crummett:
I am using Cisco's VPN Client 4.9.01.0180 with no problems in OS X 10.6.4 (iMac 27" i7)
Jon Rasmussen also has no problems:
I only use my Cisco VPN to access a FileMaker database on another Mac but all is working fine after the 10.6.4 update. I have no troubles with it.
Same with Stephen Butler:
I haven't had any problems with the Cisco VPN client on 10.6.4 after reinstalling it. Never saw the issues described, but it is working fine on my end.
More on Cisco VPN error 51: the update works, and other workarounds
Several readers responded to a report that updating the Cisco VPN Client for Mac to version 4.9.1(0180) fixes the Error 51 that people are reporting. Several readers also had some other thoughts. Matt Allaire reports:
I too was getting the error. I have OS 10.6.4 and had VPN client 4.9.01.100. Following your advice I got 4.9.01.0180 and it worked perfectly.
Gustav Petersson agrees, and had some other ideas:
Just some general comments on Cisco errors -51. At first vpnclient-darwin-4.9.01.0180-universal-k9.dmg is working noticable better than vpnclient-darwin-4.9.01.0100-universal-k9.dmg - they are both available from Cisco.
The error -51 is an error message telling us that the vpn-client can't see a network interface with an IP-address on it. I have noticed that you sometimes can workaround this by connecting the computer to a network. For example, using WiFi/Airport at home I sometimes get the error -51, if I connect my machine by cable it's fine even though my top priority connection is still AirPort. I've sometimes managed to get this workaround with iPhone and internet tethering as well.
Other ways to get it working is:
- Repair permissions (this could be something in our automated app distribution system resets some permissions).
- Reinstall the app (without restarting).
- Restart with ethernet cable connected.
The update was mostly good for Karl Rittger, except for Mac OS X Server:
The Cisco VPN 4.9.1(0180) works with Mac OS X 10.6.4 on my Macbook Pro, but not on my Mac Mini with OS X Server 10.6.4. On the Mac Mini I get:
Error 51. Unable to communicate with the VPN subsystem. Please make sure that you have at least one network interface that is currently active and has an IP address and start this application again.
My sys admin at UCSB just tried Cisco VPN w/ his OS X Server, 10.6.4 and it worked. Sucks for me cause I can't figure it out. I might try a reinstall because cause the Mac mini is new.
Tried using the built-in VPN but haven't quite got it tweaked to work yet.
Reader sees kernel panics with Cisco VPN and Mac OS X 10.6.4 update
Connie Woodward is seeing kernel panics with the Cisco VPN client since updating to Mac OS X 10.6.4:
Gosh, my machine has crashed already 3 times today, and has been crashing several times daily while on Cisco VPN with software client 4.9.01.0180. Since I've gone to 10.6.x this has been a problem, but not near as frequently as sent I updated to 10.6.4. My machine only crashes when I'm connected on VPN. I can hardly use my machine for work any more. We use Cisco IPsec over UDP so from what I read the built in Mac VPN won't work with that only TCP, do you know differently?
Our IT department does not support Mac (I'm using my home machine to connect to work), so they are no use. I've tried re-installing the VPN client, etc.
If you've seen this problem
Reader says use Cisco AnyConnect, not VPN Client in SL
For Macs running Snow Leopard, John Brigance recommends Cisco's Anyclient overCisco VPN Client:
We quit using Cisco VPN Client for Mac here at UT Austin because it was too unreliable. We now use Cisco AnyConnect VPN Client for all our Macs running on Snow Leopard. You can check it out here. I never have a problem with it.
If this fixes your Snow Leopard/Cisco VPN problems
Citrix VPN Client and AnyConnect are not always interchangable
Thursday, September 2, 2010
Responding to Monday's report of using Cisco AnyConnect instead of Cisco VPN Client for better results in Snow Leopard, Oliver Block warns that the two are not always interchangeable:
Readers should understand that Cisco AnyConnect is not simply a substitute for Cisco VPN Client 4.x. Cisco AnyConnect works with recent Cisco devices and supports SSL VPN. The Cisco AnyConnect VPN client is not compatible with the IPsec VPN tunnels available on many older Cisco devices, e.g. Cisco PIX 500 series firewalls. If a user's network supports Cisco AnyConnect connections, then the user should work with his or her network admin to move to AnyConnect, but that won't be the case for many users. Readers can review this FAQ from Cisco for more information about Cisco AnyConnect VPN Client.
|
|
