Click here to request your free 14-day trial of Cisco Umbrella through NetCraftsmen today!

I use multiple VPN clients, depending on which customer I am supporting on which day. I regularly use the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support on my Mac (I’m currently running Snow Leopard version 10.6.8.) However, a recent customer project led me to install the Shrew Soft VPN Client they supported so that I could access their network through their Netscreen firewall. (This client is a free IPsec client distributed under open source license, to get it to work in the Mac I needed to also install the LGPL Qt Framework and a TUN/TAP driver, but that is another story…)

Some time later, I found out that after installing the Shrew Soft Client, neither the Cisco VPN Client nor the built-in Native Cisco VPN Support would work on my Mac. The AnyConnect VPN Client still worked fine. Obviously it was time for some troubleshooting. 

Background
As a first step, I rebooted my Mac, but the Cisco VPN Client was still unhappy – it could not initialize the IKE ports. From the VPN Client Log file I saw messages such as:

. . .
314 14:39:38.673 07/10/2012 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

315 14:39:38.674 07/10/2012 Sev=Warning/2 CVPND/0xC340001C
Privilege Separation: unable to bind to port: (500).

316 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0xC3400003
Function SocketApiBind() failed with an error code of
0xFFFFFFFF(ike-init-state.cpp:402)

317 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0x43400012
Unable to bind to IKE port. This could be because there is another VPN
client installed or running. Please disable or uninstall all VPN Clients
other than the Cisco VPN Client.

318 14:39:38.674 07/10/2012 Sev=Info/4 CM/0xC3100003
Failure to Initialize IKE ports
. . .

The console messages for the built-in Cisco VPN support were not as detailed, but also indicated an issue:

. . .
[0x0-0x3a03a].com.cisco.VPNClient[359] bind: Address already in use
[0x0-0x3a03a].com.cisco.VPNClient[359] bind: Address already in use
[0x0-0x3a03a].com.cisco.VPNClient[359] bind: dst addr 0.0.0.0 port 500
. . .

(On the Mac, you can find console messages using the console.app via Applications > Utilities > Console )

Ok, I removed the Shrew Soft VPN Client, the LGPL Qt Framework, and the TUN/TAP driver. I still got the same messages. Rebooted. I got the same messages. I removed and reloaded the Cisco VPN Client software. I got the same messages. Rebooted. I got the same messages.

 

Partial Work-around
I did find a partial work-around – if I added “UseLegacyIKEPort=0” at the end of the .pcf files, I could get the Cisco VPN Client to connect. However, I still had issues with the built-in Native Cisco VPN Support.

 

Releasing Port 500
I decided that I really needed to release whatever was binding port 500 that IKE/ISAKMP was trying to use. Something was not completely cleaned out from my removal of the Shrew Soft VPN Client. I did try asking the IT Support desk for one of my customers (hey, I was having issues with the VPN to them), as well as the official Apple Support number about how to determine what program was binding a port, and how to release it. I got a couple hints from them, but also did a bunch of Google searches. Other folks had run into a similar binding issue, so I tried to put together the pieces.

By the way, Port 500 is mapped to ISAKMP by default on the Mac, you can see that based on the /etc/services file:

~ cwr$ grep ' 500/' /etc/services
isakmp 500/udp # isakmp
isakmp 500/tcp # isakmp
~ cwr$

What worked for me to find the process using port 500 was a “list open files” command, and then kill the process with super user priviledges:

~ cwr$ sudo lsof -i
...
iked 46 root 15u IPv4 0x0dac7d38 0t0 UDP *:isakmp
iked 46 root 16u IPv4 0x0dac7c5c 0t0 UDP *:ipsec-msft
...

~ cwr$ sudo kill -1 46 
~ cwr$

  After I killed the iked process, I was able to run the Cisco VPN Client, and the built-in Native Cisco VPN Support.

 

Permanently Removing the Binding
If you recall, the problem persisted even when I rebooted the Mac previously. So the iked daemon was being called during the start up process. I needed to find and remove this daemon call as well. I started looking for likely processes in startup directories and found it pretty quickly:

~ cwr$ cd /Library/StartupItems
StartupItems cwr$ ls
StartupItems cwr$
~ cwr$ cd /Library/LaunchDaemons
LaunchDaemons cwr$ ls
com.adobe.fpsaud.plist
com.barebones.authd.plist
com.barebones.textwrangler.plist
com.cisco.anyconnect.vpnagentd.plist
com.google.keystone.daemon.plist
com.microsoft.office.licensing.helper.plist
com.rim.BBDaemon.plist
com.symantec.MissedTasks.plist
com.symantec.Sched501-1.plist
com.symantec.avscandaemon.plist
com.symantec.deepsight-extractor.plist
com.symantec.diskMountNotify.plist
com.symantec.navapd.plist
com.symantec.navapdaemonsl.plist
com.symantec.sharedsettings.plist
com.symantec.symSchedDaemon.plist
com.symantec.symdaemon.plist
net.shrew.iked.plist
LaunchDaemons cwr$ sudo rm net.shrew.iked.plist
Password:
LaunchDaemons cwr$

I rebooted my Mac, and success! My three regularly used VPN clients (the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support) all worked. If required, I am pretty sure I could re-install the Shrew Soft VPN Client, and manually kill the iked daemon as needed if I wanted to run other VPN clients.

I hope this explanation may help others with Cisco VPN Client issues.

— cwr

Carole Warner Reece

Architect

A senior network consultant with more than fifteen years of industry experience, Carole is one of our most highly experienced network professionals. Her current focus is on the data center and on network infrastructure.

View more Posts

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.