Setting includeAllNetworks usually blocks GW connection in the extension, "kernel ALF, old data swfs_pid_entry"?

Question

Created Jul ’22

Replies 5

Boosts 0

Views 2k

Participants 2

I'm seeing the connection to the VPN gateway failing in our Network Extension (not a System Extension) most of the time. Sometimes it succeeds. There's no difference in what the application or the extension are doing in the two cases.

I can't see a pattern to when it fails, but In the console I see different messages. The only thing I've seen showing up consistently on failures but not successes is the message about the swfs_pid_entry.

On failure:

vpn_extension Gateway address 10.10.10.10, port 443

kernel ALF, old data swfs_pid_entry <private>, updaterules_msg <private>, updaterules_state <private>

vpn_extension connect failed with error 65 (No route to host)

kernel connect() - failed necp_set_socket_domain_attributes

vpn_extension Connect returncode 65

On success:

vpn_extension Gateway address 10.10.10.10, port 443

trustd User has disabled system data installation.

Boost

Answer 1

kbrock OP

Jul ’22

After some more logging, I see that

kernel connect() - failed necp_set_socket_domain_attributes Shows up even on success in some cases. Haven't seen

kernel ALF, old data swfs_pid_entry <private>, updaterules_msg <private>, updaterules_state <private> on success

0

Answer 2

DTS Engineer OP

Apple

Jul ’22

I don’t have a good answer for you but I can at least expand some terms:

ALF probably means Application-Level Fireall, that is, the firewall you enable in System Preferences > Security & Privacy > Firewall.
necp stands for Network Extension Control Policy, which is the subsystem within Apple platforms that determines which processes have access to which network interfaces.

Also, I see some private data omitted in your logs. To include that data while you investigate this issue, see the info in Your Friend the System Log.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"Å

0

Answer 3

kbrock OP

Jul ’22

Thanks. I already added the logging profile, set the log config to debug, and turned up CFNETWORKS_DIAGNOSTICS. I'll take a look and see what I might have missed.

I occasionally see the "failed necp_set_socket_domain_attributes" even in success cases, so I suspect that one's a red herring.

0

Answer 4

kbrock OP

Jul ’22

Still haven't figured out what to set to see the ALF data, but I noticed that there are some messages from netext about the connection that's failing.

netext is a Microsoft Defender extension. If includeAllNetworks is on and Microsoft Defender is trying to do something with the traffic to the Gateway I suspect that it would be a problem.

Are there any known issues that you can say anything about WRT anti-malware (e.g., Microsoft Defender) & proxy software (e.g., iBoss) interacting with VPN packet tunnels?

It'll be tricky for me to find a test system which has none of these installed...

0

Answer 5

DTS Engineer OP

Apple

Aug ’22

Are there any known issues [with] WRT anti-malware … & proxy software … interacting with VPN packet tunnels?

I don’t have any specific info to share on that topic but, yeah, I see weird problems like that all the time, especially with Endpoint Security products. You really need to test this on a vanilla Mac and then roll in these components one at a time to see when things stop working.

It'll be tricky for me to find a test system which has none of these installed...

You can’t do that testing in a VM?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0