Wednesday, March 14, 2007

Mac OS X 10.4.9 fixes Cisco VPN client and ipfw

But, they don't mention it in their "About the Mac OS X 10.4.9 Update (delta)" page. I bring it up because this is an issue that I've been dealing with for the year and a half that I've had my 12" PowerBook G4. Everytime I connected to the VPN at work using the Cisco VPN client, I suddenly couldn't browse the web, check e-mail, etc. After digging around some logs, I found that TCP fragments were being blocked by the Mac OS X firewall (ipfw) according to /var/log/ipfw.log. The following command fix things.

sudo ipfw add 05000 allow tcp from any to any frag

So, a week ago, one of our network engineers came to Jordan who sent him on to me about a problem a big Apple user on campus was having with the VPN. I was inserted into the conversation and told them about my "fix" for the problem. At some point in the thread after discussing how normal end users could never do this, an Apple e-mail address was CC'ed.

A week later, 10.4.9 is released. I reboot this morning after the update and connected to the VPN about 15 mins ago. As I was typing the the "fix," Mac Mail alerts me that I have new mail. Huh? How did it work? I didn't put the "fix" in as a permanent rule. Let's check the ipfw rules...

02065 allow tcp from any to any frag

How nice of them to fix the problem. I checked Apple's support site to see if it was mentioned in the update...of course not! Just another silent fix from Apple. Thanks fellas!

No comments: