Preventing connection timeout when using VPNC in place of Cisco VPN Client for Mac

Posted on 2011-05-02
Last Modified: 2013-11-05
Hello experts.  Had my boss previously set up to connect to our PIX 506e via the last VPN Client for Mac ( and en elegant little app managing the connections called Shimo.  All was well.  Upon purchasing a new Mac Pro (5,1) with Snow Leopard recently we started receiving "Error 51: Unable to communicate with the VPN subsystem."  Haven't had to change things for a while so when I got up to date I realized that the older Cisco client doesn't run in OS X 64-bit.  Further research revealed the newer AnyConnect client was designed to work with newer Cisco hardware and the built-in VPN client in SL that includes the ability to create an IPSec connectiion for Cisco is also intended for newer hardware.  We do video postproduction work so we will likely be running in 64-bit from here on.

One of Shimo's features is its ability to take a Cisco .PCF profile and convert it to vpnc.  I found that if I booted the Mac in 32-bit, reinstalled the Cisco client and made sure it was happy and then created a vpnc profile from the Cisco profile I could reboot into 64-bit and connect happily using the vpnc profile.  Shimo seemed to work just fine and the connection was solid...or so it seemed.  I then discovered the connection would time out consistently at about 5 minutes and 30 secs.  There are settings both in the vpnc profile and in Shimo to generate "Idle" or "keep-alive" packages, respectively.  Unfortunately, neither seem to impact on the problem.

When I went back into 32-bit mode, using the vpnc profile I got the same result (as expected).  I then made a connection using the Cisco profile and the connection has now been active for 45 minutes and counting with no sign of timing out.  So, I can see that the Cisco client is sending something to the PIX that the vpnc isn't.  I hadn't worked with vpnc previously and, as mentioned, Shimo created this profile for me so I'm not familiar with the underpinnings of this.  Can anyone advise me as to how to get the vpnc to perform as a full-fledged substitute for the Cisco client and maintain the connection?  Thanks.
Question by:mrpierce2
    LVL 18

    Expert Comment

    So, while I don't have a solution regarding your vpnc question, I do have a few comments.  

    As you point out, you can run the AnyConnect client which is available for Mac in 64-bit.  Although Cisco did produce a Windows 64-bit IPSec client, that wasn't in their plans, and it's pretty clear they're putting the majority of their development efforts into AnyConnect as opposed to IPSec.  You don't say how many users you need to provide VPN services for, but there are two SSL licenses that come with the ASA.  If you do need a solution for a larger number of users, Cisco also has AnyConnect Essentials, which is an excellent VPN approach for trusted machines that makes deployment and update of the client much easier than with IPSec, and while it's not completely free like IPSec is, it's extremely cheap compared to full SSL licenses.  My company uses AnyConnect Essentials (I'm on a Mac) and I've found it to be much more for forgiving than IPSec for maintaining connectivity.

    There's one slight downside to AnyConnect Essentials.  There are some SSL VPN features that require the full SSL licenses, mainly clientless portal and host checks (Cisco has to have some reason to encourage customers to buy full-price SSL licenses), and once AnyConnect Essentials is enabled on an ASA, you cannot use that ASA for full SSL license features.  So if you have a need for both kinds of SSL connections, then you would need separate ASAs for those.  But if you're looking for a replacement for IPSec, I really think it's an excellent solution.

    /end of sales pitch....  ;-)

    Author Comment


    Thanks for the input.  As I mentioned, we're using a PIX.  I don't see the company upgrading to ASA in the near future, especially since it's a small business with minimal VPN use and we've been spending a bunch of bucks lately on other infrastructure improvements (and I have another brand new unit purchased off eBay as a backup).  While the Cisco client has been end-of-life'd and I realize that AnyConnect is its successor, even though it's available for 64-bit OS X it was my understanding that it would not support the PIX.  My perusal of Cisco pages seemed to confirm this.  

    Essentially I only have one person to provide VPN access to--my boss, who works from home--with the only exception being our graphic designer, who on rare occasions needs to connect.

    Web searches indicate there are a good number of folks in the same boat who suddenly found themselves experiencing the Error 51 (Area 51?) I encountered.  The thing is, the vpnc client has proven it can establish a connection and run is SL 64-bit.  The price is certainly right and in our case it's just this damn timing out that's preventing it from being a fully usable replacement for the Cisco client.

    Thanks for info on AnyConnect.  Definitely sounds like an improved system.  Glad it's working well for you.

    Accepted Solution

    OK, looks like this is solved.  Found a non-EE post referring to this line in the vpnc config file (which Shimo puts in the user's Home folder (/Library/Application Support/Shimo/Configs)).  The line is

    DPD idle timeout (our side) 0
    Setting the value to "0" apparently "disables DPD (both sides)."  There is a checkbox on the Advanced page of the vpnc profile created in Shimo called "Send Idle Packages after" and a text box for the number of seconds.  Even though I had earlier disabled this my old value in the config file still persisted.  I may have just done things out of order and I expect it would have updated itself later, but in any case, I manually edited the config file and now all appears to be well.

    Author Closing Comment

    No helpful comments from anyone else.  Kept researching outside of EE and found a solution.  No longer have the problem.  VPNC connection does not time out.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now