Anything new after one more year passed?I think I have the same problem, but using systems IKEv2. If mac goes to sleep for about 5 minutes, after it wakes up, VPN connection gets dropped ant it reconnects. Then after 20 seconds that new connection drops.In console I can see this log: `Extension com.apple.NetworkExtension.IKEv2Provider died unexpectedly`.Looks like it got as lot worse in Catalina, especially the latest 10.15.4.If you need any information I'll be glad to provide it.
Post
Replies
Boosts
Views
Activity
OK, I've filled a report: FB7716038.Hope this will be fixed soon, because all the VPN clients that are using native IKEv2 implementation suffer from this issue.
Thanks for suggestion. I've switched to automatic signing and when I'm trying to export an app with Developer ID signing, I get an error:
Cannot create a Developer ID provisioning profile for "my app bundle"
The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again.
Does it mean it's impossible to distribute apps with Network Extensions outside Mac AppStore?
Found this page, that suggests it should be available: https://help.apple.com/developer-account/#/devadf555df9
OK, now that I've looked at it more closely, I've found that generated PPs all have "-systemextension" appended to their values. Whereas apps entitlement doesn't have that. I've went through PP setting on developer.apple.com but can't find a way to get rid of those appendices. What are they for?
OK, but now the question is how to make XCode project work for signing with both Developer ID and simple development PPs?
If I add "-systemextension" to all network extension capabilities in entitlements file, XCode accepts my Developer ID. But now it complains if I select PP for development (with type: Development), because this one, when downloaded from developer.apple.com has network extension capabilities without "-systemextension".
For future reference:
Working solution is to have two entitlements files, one of them having "-systemextension" added where needed and build settings setup in a way, that will use one file for debug build and other for release.
Another scenario:
OSSystemExtensionManager.shared.submitRequest(OSSystemExtensionRequest.activationRequest(...))
User sees system modal asking to go to the settings and enable extension, but presses OK and does nothing.
Next time app tries to submit new activation request one more time, delegate receives request( , actionForReplacingExtension, withExtension) and returns .cancel because versions are the same.
Delegates request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) is called with error OSSystemExtensionError.requestCanceled.
Nowhere in this sequence app had a chance to know that user still hasn't accepted installation of the extension.
I also submitted a report in Feedback assistant regarding this issue: FB8978342.
At the moment the only workaround I see to make app a little more user friendly is to always return .replace in request(request: , actionForReplacingExtension, withExtension), because in this case if user has not yet allowed installation of extension, system modal will appear one more time asking user to do it. Of course this means that after user accepts it, app will flood extensions with installation requests all the time it tries to use its extension.
Were you able to find an underlying problem?
Here it is:
error 12:27:00.717255+0200 Sandbox: my.app.bundle.id(31524) System Policy: deny(1) system-privilege 10006 kernel
Looks like it pops-up every time a NetworkExtension tries to write to log file.
Catalina 10.15.7 (19H114)
Xcode Version 12.4 (12D4e)
Sandboxed app with sandboxed NetworkExtension (Packet tunnel). App can write logs to file inside its container without problems. When Extension tries to write to file, system-privilege 10006 appears in logs.
PS. Is there any possibility to stop Console app from removing older logs? Messages appear so fast that it is difficult to find anything useful before they disappear. And creating sysdiagnose reports everytime, takes too much time.
Ohh, I'm so sorry! I missed one zero :(
It is #define PRIV_NET_PRIVILEGED_NECP_MATCH 10006 /* Privilege verified by Network Extension policies */. And the problem is in Network Extension indeed.
Maybe it is not because of writing to file, that was just my hypothesis. Any ideas on what can be the cause?
And thanks a lot for log commands, that's actually enough for me, and works much faster!
Looks like when I try to write to the Keychain from extension, I get the same error on write.
Yes, there are few actually. One of them is that sandboxed system extensions (network extension) can't write log to file. Another is that the same extension can't read from keychain. But I'm not sure it is related to this error, as it (10006 error) actually went away lately.