Sophos Endpoint and Cisco AnyConnect network extension incompatibility (breaks Safari WebSocket connections and other software)

We are facing a problem when both Sophos Endpoint and Cisco AnyConnect VPN Secure Mobility Client are installed on the same MacOS Big Sur 11.1 system.
Safari cannot connect and web socket, other programs (e.g. Adobe Cloud Sync) fail too.

Steps to reproduce:

  1. Clean macOS Big Sur 11.1 (20C69) install
  2. Install Sophos Endpoint 10.0.2 and Cisco AnyConnect SMC 4.9.04043.
  3. Approve System Extensions and Content Filters interactively or through MDM configuration profiles using Jamf Pro (doesn't make any difference)
  4. Verified that System Extensions are all loaded properly and Content Filters are running accordingly to vendor documentation. ( systemextensionsctl list )
  5. Open web.whatsapp.com or connectivity-test.asana.com in Safari.
  6. Issue persist regardless of an active VPN network connection or not.

Expected behaviour:

  • Site opens and loads contents, reports successful WebSocket connection.

Actual behaviour:

  • WebSocket network error: OSStatus Error -9810: Internal error

Notes:

  • Uninstalling either Network Extension by using the terminal commends systemextensionsctl uninstall 2H5GFH3774 com.sophos.endpoint.networkextension or systemextensionsctl uninstall DE8Y96K9QP com.cisco.anyconnect.macos.acsockext fixes the issue temporarily until next restart.
  • Uninstalling either software immediately eliminates the issue.
  • It has been reported in Apple Developer forums that the problem may be originated when any NETransparentProxyProvider and NEFilterDataProvider run together on the system (same app or not).

References:
Cisco: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html#_Toc52277855

Apple: https://developer.apple.com/forums/thread/667962



Added confirmation that uninstalling the either network extension stops the issue. Disable SIP, then enter systemextensionsctl uninstall 2H5GFH3774 com.sophos.endpoint.networkextension or systemextensionsctl uninstall DE8Y96K9QP com.cisco.anyconnect.macos.acsockext
[edited by: Rene Luna at 3:59 AM (GMT -8) on 13 Jan 2021]
Parents Reply Children