I use multiple VPN clients, depending on which customer I am supporting on which day. I regularly use the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support on my Mac (I’m currently running Snow Leopard version 10.6.8.) However, a recent customer project led me to install the Shrew Soft VPN Client they supported so that I could access their network through their Netscreen firewall. (This client is a free IPsec client distributed under open source license, to get it to work in the Mac I needed to also install the LGPL Qt Framework and a TUN/TAP driver, but that is another story…)
Some time later, I found out that after installing the Shrew Soft Client, neither the Cisco VPN Client nor the built-in Native Cisco VPN Support would work on my Mac. The AnyConnect VPN Client still worked fine. Obviously it was time for some troubleshooting.
As a first step, I rebooted my Mac, but the Cisco VPN Client was still unhappy – it could not initialize the IKE ports. From the VPN Client Log file I saw messages such as:
. . . 314 14:39:38.673 07/10/2012 Sev=Info/4 CVPND/0x43400019 Privilege Separation: binding to port: (500). 315 14:39:38.674 07/10/2012 Sev=Warning/2 CVPND/0xC340001C Privilege Separation: unable to bind to port: (500). 316 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0xC3400003 Function SocketApiBind() failed with an error code of 0xFFFFFFFF(ike-init-state.cpp:402) 317 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0x43400012 Unable to bind to IKE port. This could be because there is another VPN client installed or running. Please disable or uninstall all VPN Clients other than the Cisco VPN Client. 318 14:39:38.674 07/10/2012 Sev=Info/4 CM/0xC3100003 Failure to Initialize IKE ports . . .
The console messages for the built-in Cisco VPN support were not as detailed, but also indicated an issue:
. . . [0x0-0x3a03a].com.cisco.VPNClient bind: Address already in use [0x0-0x3a03a].com.cisco.VPNClient bind: Address already in use [0x0-0x3a03a].com.cisco.VPNClient bind: dst addr 0.0.0.0 port 500 . . .
(On the Mac, you can find console messages using the console.app via Applications > Utilities > Console )
Ok, I removed the Shrew Soft VPN Client, the LGPL Qt Framework, and the TUN/TAP driver. I still got the same messages. Rebooted. I got the same messages. I removed and reloaded the Cisco VPN Client software. I got the same messages. Rebooted. I got the same messages.
I did find a partial work-around – if I added “UseLegacyIKEPort=0” at the end of the .pcf files, I could get the Cisco VPN Client to connect. However, I still had issues with the built-in Native Cisco VPN Support.
Releasing Port 500
I decided that I really needed to release whatever was binding port 500 that IKE/ISAKMP was trying to use. Something was not completely cleaned out from my removal of the Shrew Soft VPN Client. I did try asking the IT Support desk for one of my customers (hey, I was having issues with the VPN to them), as well as the official Apple Support number about how to determine what program was binding a port, and how to release it. I got a couple hints from them, but also did a bunch of Google searches. Other folks had run into a similar binding issue, so I tried to put together the pieces.
By the way, Port 500 is mapped to ISAKMP by default on the Mac, you can see that based on the /etc/services file:
~ cwr$ grep ' 500/' /etc/services isakmp 500/udp # isakmp isakmp 500/tcp # isakmp ~ cwr$
What worked for me to find the process using port 500 was a “list open files” command, and then kill the process with super user priviledges:
~ cwr$ sudo lsof -i ... iked 46 root 15u IPv4 0x0dac7d38 0t0 UDP *:isakmp iked 46 root 16u IPv4 0x0dac7c5c 0t0 UDP *:ipsec-msft ... ~ cwr$ sudo kill -1 46 ~ cwr$
After I killed the iked process, I was able to run the Cisco VPN Client, and the built-in Native Cisco VPN Support.
Permanently Removing the Binding
If you recall, the problem persisted even when I rebooted the Mac previously. So the iked daemon was being called during the start up process. I needed to find and remove this daemon call as well. I started looking for likely processes in startup directories and found it pretty quickly:
~ cwr$ cd /Library/StartupItems StartupItems cwr$ ls StartupItems cwr$ ~ cwr$ cd /Library/LaunchDaemons LaunchDaemons cwr$ ls com.adobe.fpsaud.plist com.barebones.authd.plist com.barebones.textwrangler.plist com.cisco.anyconnect.vpnagentd.plist com.google.keystone.daemon.plist com.microsoft.office.licensing.helper.plist com.rim.BBDaemon.plist com.symantec.MissedTasks.plist com.symantec.Sched501-1.plist com.symantec.avscandaemon.plist com.symantec.deepsight-extractor.plist com.symantec.diskMountNotify.plist com.symantec.navapd.plist com.symantec.navapdaemonsl.plist com.symantec.sharedsettings.plist com.symantec.symSchedDaemon.plist com.symantec.symdaemon.plist net.shrew.iked.plist LaunchDaemons cwr$ sudo rm net.shrew.iked.plist Password: LaunchDaemons cwr$
I rebooted my Mac, and success! My three regularly used VPN clients (the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support) all worked. If required, I am pretty sure I could re-install the Shrew Soft VPN Client, and manually kill the iked daemon as needed if I wanted to run other VPN clients.
I hope this explanation may help others with Cisco VPN Client issues.
2 responses to “Troubleshooting Cisco VPN Clients”
I ran into a very similar problem that you describe above with VPN clients. I wasn’t as persistent or skilled at troubleshooting, so I ended up re-installing OS X.
I now use Shimo VPN client:
It can support AnyConnect and Cisco VPN clients, as well as Netscreen, OpenVPN, PPTP, L2TP. It’s much easier only having a single client to deal with.
Hi Oliver –
Thanks for your comments! A single client would indeed be nice, but I have to be flexible, and my customers seem to like me to use their methods of access. (Makes it easier for them…) In my case, re-installing the OS appeared to be more painful than troubleshooting the issue.