Cisco AnyConnect VPN Problem on Mac OS X

After persistent problems getting the Cisco AnyConnect VPN Client (version 2.5.3055, running on Mac OS X 10.5.8) to connect to the VPN concentrator (from behind a firewall), the following two actions appear to have solved this problem:

  1. Rename:
       ~/.anyconnect
    to:
       ~/.anyconnect_bad
    I am not certain that this made a lasting difference, but I was able to get a connection after moving this file. However, when I tried later, I was again unable to connect, so go figure. In any event, renaming (or deleting) the file does not appear to have caused any lasting problems.
  2. Move:
       ~/Library/Preferences/com.apple.security.revocation.plist
    to:
       ~/Library/Preferences_bad/com.apple.security.revocation.plist
    Or simply delete the file; it will be recreated if it is needed; the default is for OCSP and CRL to be disabled.
    I'm not sure why this Preferences PropertyList caused problems, but when watching the packets (during unsuccessful connection attempts), the Cisco AnyConnect VPN Client (or Mac OS X on the Client's behalf) made various OCSP-related queries (that were never answered).

    As an alternative to renaming (or deleting) the file:

       ~/Library/Preferences/com.apple.security.revocation.plist
    (to disable OCSP and CRL), execute the following commands in the Terminal:
      % defaults write com.apple.security.revocation CRLStyle -string None
      % defaults write com.apple.security.revocation OCSPStyle -string None
    

    For reference, the contents of the default (automatically recreated) Security Preferences PropertyList (which allows the Cisco AnyConnect VPN Client to connect) are shown below.

    % /usr/libexec/PlistBuddy -c Print ~/Library/Preferences/com.apple.security.revocation.plist 
    Dict {
        OCSPStyle = None
        OCSPSufficientPerCert = true
        CRLStyle = None
        RevocationFirst = OCSP
        CRLSufficientPerCert = true
    }
    
    For reference the contents of the Security Preferences PropertyList (that caused the Cisco AnyConnect VPN Client not to connect) are shown below.

    % /usr/libexec/PlistBuddy -c Print ~/Library/Preferences_bad/com.apple.security.revocation.plist
    Dict {
        OCSPStyle = BestAttempt
        OCSPSufficientPerCert = true
        CRLStyle = BestAttempt
        RevocationFirst = OCSP
        CRLSufficientPerCert = true
    }
    
    This fix has been working since I applied it.

Background (edited from:  <http://lists.apple.com/archives/remote-desktop/2011/Mar/msg00004.html>)

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore should not be relied upon.

Note that in Mac OS X, OCSP and CRL are not enabled by default.

The Security Preferences PropertyList (above) may have been set to the properties shown (enabling OSCP and CRL) by following the steps shown below. Note that enabling OCSP and/or CRL appears to disable Cisco AnyConnect VPN Client (at least from behind a reasonably secure firewall).

This will tell Safari, or any other program that uses the built-in certificates on Mac OS X, to check these servers before accepting any SSL certificate on a web site (or any other communication that uses https:, such as the Cisco AnyConnect VPN Client).

Note: These commands will need to be run on a per-user basis, as Keychain is looking to the file:

   ~/Library/Preferences/com.apple.security.revocation.plist
for these settings.

Alternatively, the settings can be established to enable OCSP and CRL by executing the following commands in the Terminal. Again, note that enabling OCSP and/or CRL appears to disable Cisco AnyConnect VPN Client (at least from behind a reasonably secure firewall).

  % defaults write com.apple.security.revocation CRLStyle -string BestAttempt
  % defaults write com.apple.security.revocation OCSPStyle -string BestAttempt

Last Updated: 2012 December 29, Saturday, 15:18:50 PST (UTC-0800)