I’ll just leave a note here for those of you who have seemingly random kernel panics at conferences or other places with IPv6 while you’re connected to your employer’s network using Cisco’s VPN client.
Cisco VPN-client, VMware, IPv6 and Mac OS X equals kernel panic
Here’s the magic recipe for cooking up a kernel panic.
- Mac OS X Leopard, any version will do (Tiger might be affected too)
- VMware or Parallels installed (a VM does not need to be running)
- IPv6 enabled on an interface attached to a network where IPv6 is actively spoken
- Connect to your corporate network with Cisco’s VPN client (any version will do)
- Do some work, preferrably important, at your computer for less than 10 minutes
Before you know it Cisco’s com.cisco.nke.ipsec kernel extension decides it’s a good time crash Mac OS X.
After the kernel panic you’ll have a brand new file in /Library/Logs/PanicReporter. It will look something like this:
Wed Sep 2 00:35:04 2009
panic(cpu 1 caller 0×001AB0FE): Kernel trap at 0×4860f618, type 14=page fault, registers:
CR0: 0×8001003b, CR2: 0×0eae60b1, CR3: 0×01088000, CR4: 0×00000660
EAX: 0×00000004, EBX: 0×0eae60b1, ECX: 0×00000003, EDX: 0×0eae60b1
CR2: 0×0eae60b1, EBP: 0×47bc7868, ESI: 0×0eae5cb1, EDI: 0×0eae5c50
EFL: 0×00010206, EIP: 0×4860f618, CS: 0×00000008, DS: 0×0e5b0010
Error code: 0×00000000Backtrace (CPU 1), Frame : Return Address (4 potential args on stack)
0×47bc7678 : 0×12b4c6 (0×45f91c 0×47bc76ac 0×13355c 0×0)
0×47bc76c8 : 0×1ab0fe (0×469a98 0×4860f618 0xe 0×469248)
0×47bc77a8 : 0×1a1713 (0×47bc77c0 0×0 0×47bc7868 0×4860f618)
0×47bc77b8 : 0×4860f618 (0xe 0×530048 0×47bc0010 0xe5b0010)
0×47bc7868 : 0×4860fe72 (0xeae60b1 0×601a8c0 0xd0511ac 0×12fdc2)
0×47bc78b8 : 0×48610bc0 (0xd0511ac 0xeae5c30 0×6 0×379d2b)
0×47bc7938 : 0×48609f8b (0xfb12804 0xfd7b80c 0xeae5c0e 0xf3)
0×47bc79c8 : 0×4860a912 (0xfb12804 0xfd7b80c 0xeae5c0e 0xf3)
0×47bc7a88 : 0×4860675e (0×47bc7adc 0×47bc7ae0 0×47bc7ae4 0×47bc7ad4)
0×47bc7b08 : 0×218126 (0×0 0×5897004 0×2 0×47bc7b6c)
0×47bc7b88 : 0×22af42 (0×5897004 0×2 0×43599900 0xab2bb50)
0×47bc7bb8 : 0×245220 (0×5897004 0×2 0×43599900 0xab2bb50)
0×47bc7d78 : 0×24bcd3 (0×43599900 0×1 0×0 0xd07da00)
0×47bc7de8 : 0×24d4c2 (0×1 0×0 0×0 0×1)
0×47bc7f18 : 0×24fd6f (0xd07da68 0×206 0×47bc7f58 0×23271f)
0×47bc7f58 : 0×2503a2 (0xd07da68 0×0 0×1 0×1a436f)
Backtrace continues…
Kernel loadable modules in backtrace (with dependencies):
com.cisco.nke.ipsec(2.0.1)@0×48604000->0×48672fffBSD process name corresponding to current thread: kernel_task
Mac OS version:
9L30Kernel version:
Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386
System model name: MacBookPro2,2 (Mac-F42187C8)
A known bug
This is a known bug. Here’s an excerpt I got after trying to convince Cisco for months that their kernel extension is buggy for their VPN client is broken on Mac OS X.
Cisco VPN Client for Mac OS X is not supported if Fusion, Parallels or Crossover is installed on the same workstation. This hasn’t been documented yet in the usual way but there is a bug in the bug toolkit for that:
CSCsj38286 Bug Details
================
unity mac fails with parallels fusion and crossoverSymptoms
================
Parallels, Fusion, and CrossOver prevent the VPN Client from working properly.Conditions
================
The VPN Client does not support the use of virtual environments.Workarounds
================
Cisco VPN with Parallels:* Install the VPN Client SW on MacOS.
* Configure Paralllels Networking. You’ll probably want to use “shared networking” in Parallels. This causes Parallels to share a single MacOSX-side IP address by using NAT on all network traffic to/from the guest virtual machines/OS’s. Some applications (IPTV) are NAT-intolerant and won’t work in this case.Alternately, instead of running Cisco VPN Client on MacOS, it can be run on the Windows side. Of course, then MacOSX would not be ‘inside’ the VPN but Windows would be.
It will not be fixed even though the bug is easily reproducible.
The workaround
Remember the key ingredients previously listed? Cisco VPN (connected to the VPN), VMware/Parallels and IPv6. Take one out and the problem goes away!
You obviously need Cisco VPN to be able to work so it’s not a good candidate for removal. VMware/Parallels could be removed but it’s quite convenient to have the ability to run VMs on your computer. That leaves us with IPv6, which happens to be easy to turn off an on. Just go to System Preferences, Network, Advanced, the TCP/IP tab and set “Configure IPv6″ to “Off”. Now you’ll be able to work connected to a VPN while still being able to keep VMware/Parallels on the same computer.
Yet another IPv6 issue with Cisco VPN client
VPN concentrators and the like can force connecting clients to block access to the LAN they’re on. This feature is called “Allow local LAN access” and is usually turned off (i.e, block local LAN access). The obvious use for this is to prevent potential attackers (or worms, viruses, ..) from accessing the corporate network through a client connected to it via a VPN connection.
This blocking feature on the client does not work with IPv6 (or anything else than IPv4). So, if you’ve got a client with IPv4 and IPv6, connecting to your corporate network with Cisco’s VPN client it’s possible for a remote attacker to gain access to your network by first accessing the client over IPv6 and then walking straight into to your network over the VPN connection. Lame.
Snow Leopard has native support for Cisco IPSec VPN
Go to System Preferences, select Network and add a new network interface of type VPN (Cisco IPSec).
Recent comments