Saturday, October 26, 2013

Cisco VPN issue with OS X Mavericks - solved

If you are having an issue with the Cisco VPN client after upgrading to OS X Mavericks, here is the solution...

open a terminal (iterm)

# edit the sysctl.conf file
sudo vim /etc/sysctl.conf

# comment out the following line.
kern.ipc.maxsuckbuf=512000.

Your file should look like this after you edit...

#
# Tuning network for broadband
#
# START
# kern.ipc.maxsockbuf=512000
net.inet.tcp.sendspace=131072
net.inet.tcp.recvspace=358400
# END



# Last step is to reboot.

47 comments:

  1. /etc/sysctl.conf doesn't exist in OSX.

    ReplyDelete
    Replies
    1. On Mavericks, it does exist.

      Delete
    2. I'm running Mavericks and the above file does not exist.

      Delete
  2. The network tuning lines is from the Apple Broadband Tuner ( http://support.apple.com/downloads/Broadband_Tuner_1_0 ). Most OS X installs were not from that era, and don't have those lines.

    ReplyDelete
    Replies
    1. This was from a default Mountain lion install upgraded to Mavericks.

      Delete
  3. I tried it this morning, no luck. I also did not have this file available.

    ReplyDelete
  4. This worked perfectly for me. (Original system OS was Mountain Lion, upgraded to Mavericks.) Thank you, thank you, thank you Khalid!

    ReplyDelete
    Replies
    1. I'm glad to see it worked for you as well. Thanks for the feedback.

      Delete
  5. 100% worked for me. Stock ML install from March 2013 when I bought it new. Cheers man, you saved me hours of nonsense!

    ReplyDelete
  6. Where is this file? In what directory?

    ReplyDelete
  7. Never mind. I don't have that file in my /etc directory. Ugh.

    ReplyDelete
  8. I am missing the sysctl.conf file as well. Can someone post a working copy of one? Not sure if I copy it in place if it will work or not.

    ReplyDelete
  9. A file /etc/sysctl.conf can be created, and system will read it on next boot.
    You have net.inet.tcp.recvspace value set to 358400, but default value is 131072.

    On my Mavericks installation:
    $uname -a
    Darwin macbookpro.local 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
    $ ls /etc/sysctl.conf
    ls: /etc/sysctl.conf: No such file or directory
    $ sysctl -a | grep kern.ipc.maxsockbuf
    kern.ipc.maxsockbuf: 4194304
    $ sysctl -a | grep net.inet.tcp.sendspace
    net.inet.tcp.sendspace: 131072
    $ sysctl -a | grep net.inet.tcp.recvspace
    net.inet.tcp.recvspace: 131072

    Anyconnect have reconnects each 5 minutes... Can you show kern.ipc.maxsockbuf value on your system? Perhaps net.inet.tcp.recvspace need to be changed, not sure...

    ReplyDelete
  10. I can create the file? How? I read your post, but it's all Greek to me.

    ReplyDelete
    Replies
    1. Just place text files named as 'sysctl.conf' to the /etc directory.
      But if you not clearly know what are you doing with this file please wait. Maybe values we are discuss are not solve the problem. I need to check it, but I can't do it right now.
      Anyway, you have been warned, be careful.
      sysctl.conf - is kernel tuning file. System read it on boot and in case mistakes, wrong line, etc... booting can stuck or performance may degrade.

      Delete
  11. Confirmed cases where this has fixed the issue has been Mountain Lion upgraded to Mavericks.

    ReplyDelete
    Replies
    1. Khalid, can you show values of kern.ipc.maxsockbuf, net.inet.tcp.sendspace and net.inet.tcp.recvspace keys on system which AnyConnect work without issue?

      Delete
    2. The file in the post is the original from my system. Also, I have 8GB RAM on a MBP and it works for me. So 16GB not required.

      Delete
  12. I have iMac with 16Gb of RAM and MBP-13 with 8Gb of RAM. Mavericks installed on both, upgrade from ML to Mavericks. iMac with 16Gb RAM works fine with Anyconnect.

    16Gb machine - kern.ipc.maxsockbuf = 8388608 (8Mb for network buffer)
    8Gb machine - kern.ipc.maxsockbuf = 4194304 (4Mb for network buffer)

    4Mb of buffer size apparently is not enough for Anyconnect. In my situation Anyconnect every 4 minutes make reconnection on my 8Gb MacBook, but work stable on 16Gb iMac.

    kern.ipc.maxsockbuf on most systems is can be changed, but on Mavericks CAN NOT.
    Trying to change this causes to a message "Sysctl: kern.ipc.maxsockbuf: the result is too large".

    So... if your Mac has less 16Gb of RAM this solution is not for you.

    ReplyDelete
    Replies
    1. I have 8GB of RAM and its working fine after the fix above.

      Delete
  13. I don't have the file either. I upgraded from ML but for some reason I don't have that file.

    I created the file inside the /etc folder, rebooted, but no success. It still reconnects every 3 minutes as I can see through the Statistics Window. Although I would say the network connection itself lasts less than 2 minutes. The rest of the 3 minutes it just freezes up.

    Just FYI, my Cisco AnyConnect version is 3.1.02040 running on an 8Gb Mac Mini.

    Thanks for all your efforts out there!

    ReplyDelete
    Replies
    1. Uninstalled v3.1.02040 and installed v3.1.03103 with no success either. The sysctl.conf file was not there, nor it helped creating it. FYI.

      Delete
  14. Hi, I tried creating and changing the values in /etc/sysctl.conf file and rebooted, but there is no luck. I am using MacBook Pro with 8GB RAM and upgraded from Mountain Lion to Mavericks.

    my Cisco AnyConnect version is 3.1.04072

    ReplyDelete
  15. Yep... The amount of memory, as I wrote earlier, does not affect the Anyconnect, problem is deeper.

    Some time ago I set net.inet.ip.scopedroute=0 in /Library/Preferences/SystemConfiguration/com.apple.Boot.plist.

    After removing any added lines from com.apple.Boot.plist Anyconnect is WORKING without repeated reconnects. It's strange, but I checked several times.

    General idea - remove all kernel flags and parameters set by third-party programms, or your self.
    Check boot arguments in Terminal by command:

    sysctl -a kern.bootargs

    Output should be:
    $ sysctl -a kern.bootargs
    kern.bootargs:
    $

    Check the /Library/Preferences/SystemConfiguration/com.apple.Boot.plist for any non-default strings. It should look like this:





    Kernel Flags





    com.apple.Boot.plist may be binary plist. Convert it by command in Terminal:
    plutil -convert xml1 /Library/Preferences/SystemConfiguration/com.apple.Boot.plist -o ~/Desktop/com.apple.Boot.plist
    А Text file will appear on your Desktop, open it, if no nothing non-default don't touch /Library/Preferences/SystemConfiguration/com.apple.Boot.plist

    Check net.inet.ip.scopedroute in Terminal by command:

    sysclt -a net.inet.ip.scopedroute

    Output should be:
    $ sysctl -a net.inet.ip.scopedroute
    net.inet.ip.scopedroute: 1

    If you see 'net.inet.ip.scopedroute: 0' you need set it to 1.
    Edit /Library/Preferences/SystemConfiguration/com.apple.Boot.plist, like

    .......

    Kernel Flags
    net.inet.ip.scopedroute=1

    ......

    In my case it helped.

    ReplyDelete
  16. I set my recvspace to the number from the original post above, as such:

    $ sysctl -w net.inet.tcp.recvspace=358400
    net.inet.tcp.recvspace: 131072 -> 358400


    It worked. I have now been successfully connected through VPN for 27+ minutes, without creating a "sysctl.conf" file, and without rebooting. However, after setting my recvspace to 358400, I then attempted to set maxsokbuf to a higher value, which then resulted in me being kicked out to the login screen and had to login again. I'm on a late 2009 iMac with 4GB of RAM. Following are the values I have:

    kern.ipc.maxsockbuf = 4194304
    net.inet.tcp.sendspace = 131072
    net.inet.tcp.recvspace = 358400

    Stoked!

    ReplyDelete
    Replies
    1. Thanks for sharing Dan. Hopefully this helps the folks with a similar setup.

      Delete
  17. Worked. Mid 2013 MBA ML upgraded to Mavericks. No file existed so created file with textedit and save as a new document in desktop and moved to /etc folder. In the file, copied from above:

    # START
    # kern.ipc.maxsockbuf=512000
    net.inet.tcp.sendspace=131072
    net.inet.tcp.recvspace=358400
    # END

    My VPN connect has not dropped or need to reconnect since. Thank you Khalid!

    ReplyDelete
  18. Dan, did doing the sysctl -w ** commands result in your fix for the VPN working across reboots. The reason I asked is this page here "http://hints.macworld.com/article.php?story=20060616112919669&mode=print" has a statement "If you would like these changes to be preserved across reboots you can edit /etc/sysctl.conf".

    ReplyDelete
    Replies
    1. Yes, before I rebooted I installed the Apple Broadband Tuner (referred to earlier in the thread) and set the sysctl.conf values to those I used above.

      Delete
  19. Tried setting the recvspace to 358400 on my MacBook Pro 8G with no help

    ReplyDelete
  20. MBP 2011, 8gb ram: I fixed my problem by having a connection to a Wifi and the network cable plugged in at the same time. Otherwise, wifi or cable alone, the connection dropped every 2-4min.
    Hope this can help someone.

    ReplyDelete
  21. MacBook Pro 8GB, I have changed recvspace to 358400 and still its not working :(

    ReplyDelete
  22. My VPN drops every few minutes when connected at the office on wireless n connection. At home connecting from wireless g connection I have no issues at all. Hopefully all my hotels will be wireless g and I will be fine awaiting a fix. If not maybe I will try this fix....

    George

    ReplyDelete
  23. MBPr 15" 2012

    # START
    # kern.ipc.maxsockbuf=512000
    net.inet.tcp.sendspace=131072
    net.inet.tcp.recvspace=358400
    # END

    works for me.

    ReplyDelete
  24. It didn't work at all with the above settings

    ReplyDelete
  25. Thank you so much for this post!!! Editing the sysctl.conf file fixed my problem. Verizon recently had me install BroadbandTunner, which is probably what created that file (if it hadn't already existed) and messed up my vpn connection. Up until I did that, I was able to use AnyConnect without a problem even after upgrading to Maverick.

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. I have installed Broadband tuner http://support.apple.com/downloads/Broadband_Tuner_1_0 and comment out kern.ipc.maxsockbuf=512000 from /etc/sysctl.conf as stated in original post and rebooted. Cisco Anyconnect VPN still disconnects me after taking above steps. So this wasn't solution for me..

    ReplyDelete
  28. Using

    kern.ipc.maxsockbuf=8388608

    worked for me. I did not have the .conf file. The above works if used in the Terminal, but does not save across reboots:

    sudo sysctl -w kern.ipc.maxsockbuf=8388608

    So far, creating a sysctl.conf file has not fixed it on boot for me. Not sure if Mavericks doesn't read that file anymore? Going to try to find a way to ensure this change is made permanently or set on boot using launchd or something else.

    ReplyDelete
  29. This fixed my issue as well. Thanks for including what the finished product should look like. I thought I would have a built in excuse not to work from home since upgrading to Mavericks. Thanks for sharing this information Khalid! :)

    ReplyDelete
  30. Thanks Man.. Worked like a charm!!!!

    ReplyDelete
  31. Mountain Lion to Mavericks broke VPN for my client.

    Tried many many things to fix. He recently went to yosemite and same thing. Stumbled across this and IT DID THE TRICK!!! Client was ecstatic! Thank you!

    So even if they went from mountain lion to mavericks to yosemite, this still fixes it.

    ReplyDelete
  32. Thanks for tracking this, i have the same issue. disconnects every 1-2 minutes with 10.9+Anyconnect 3.1. Looking at stats seems that Control Frames are not being received to me during outages. Worth mention i have the problem within my corporate network, from my home DSL it works ok. Thanks to greek vpn free support for helping me further.

    ReplyDelete
  33. Just try disabling IPv6:
    networksetup -setv6off Ethernet
    networksetup -setv6off Wi-Fi

    ReplyDelete