Wednesday, June 26, 2013

Cisco AnyConnect Secure Mobility Client v3.1 and and Mac OS X

A recent issue came up with some of our customers that use Mac computers who were having issues trying to connect to our VPN using the Cisco AnyConnect client v3.0. The root cause was that they were running the latest Mac OS X version, 10.8 Mountain Lion, which is not supported by the AnyConnect version 3.0 and earlier. And of course, the web deploy version 3.0.08057 was what was on our ASA.

In order to fix this specific problem we updated all of the AnyConnect client versions on our ASA to the latest 3.1 releases for Windows, Linux, and Mac, then had our Mac users running 10.8 Mountain Lion log back into the VPN web portal. They were prompted to update their AnyConnect client to the new version, which we had set up on the ASA to force client updates, and now they were able to access VPN without any issues.

However, we found out that there were some caveats with updating to the AnyConnect 3.1 release. We now gained the ability to support 10.8 Mountain Lion operating systems, but 10.5 Leopard support was dropped. So unfortunately, this locked out several of our customers that were still running Mac OS X 10.5 Leopard on their Intel Macs. In short, they couldn’t connect to VPN because the profile settings on our ASA are configured to force the installation of the current edition of the AnyConnect client on the ASA in order to access VPN. When the installer for the 3.1 client launched, they were presented with an error that told them their operating system was not supported, then the install failed. So, since these Mac OS X 10.5 Leopard users couldn't update to the newest client version, they were locked out of our VPN.

As a workaround to support all of the Intel Mac OS X editions, we downgraded the Intel Mac AnyConnect client back to 3.0 and turned off the Auto Update feature on the ASA. This will provide the 3.0 client for those that currently do not have it, as well as not perform the auto update check. The good news is that the new AnyConnect client v3.1 for Windows supports Windows XP all the way up to Windows 8 so there is no worries about upgrading it. Mac OS X is a different story.

According to Cisco, here is there recommended workaround to this issue:

  1. Disable the client check\Auto Update on the ASA.
  2. If there is anyone that needs to connect to VPN with a Mac computer running 10.5 Leopard, downgrade the AnyConnect client to one of the 3.0 releases or provide the DMG installer to the Mac user.
  3. If there is anyone that needs to connect to VPN with a Mac computer running 10.8 Mountain Lion, provide the 3.1 DMG installer to that person.

I hope this helps others out that are experiencing the same issues.

Feel free to peruse the official AnyConnect release notes for more information: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp44364

- Joe