Field Notice: FN - 70445 - AnyConnect Secure Mobility Client Users with macOS 10.15.x Might Not Be Able to Establish VPN Connections or Might Receive Pop-Up Warning Messages - Software Upgrade Recommended

Available Languages

Updated:August 30, 2019

Document ID:FN70445

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	28-Aug-19	Initial Release
2.0	29-Aug-19	Updated the Workaround/Solution Section

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	AnyConnect VPN Client Software	4.7	4.7.00136, 4.7.01076, 4.7.02036, 4.7.03052	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.6	4.6.00362, 4.6.01098, 4.6.01103, 4.6.02074, 4.6.03049, 4.6.04054, 4.6.04056	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.5	4.5.00058, 4.5.01044, 4.5.02033, 4.5.02036, 4.5.03040, 4.5.04029, 4.5.05030	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.4	4.4.00242, 4.4.00243, 4.4.01054, 4.4.02034, 4.4.02039, 4.4.03034, 4.4.04030	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.3	4.3.00748, 4.3.01095, 4.3.02039, 4.3.03086, 4.3.04027, 4.3.05017, 4.3.05019	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.2	4.2.00096, 4.2.01022, 4.2.01035, 4.2.02075, 4.2.03013, 4.2.04018, 4.2.04039, 4.2.05015, 4.2.06014	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.1	4.1.00028, 4.1.02011, 4.1.04011, 4.1.06013, 4.1.06020, 4.1.08005	Only affects users with macOS 10.15.x or later
NON-IOS	AnyConnect VPN Client Software	4.0	4.0.00048, 4.0.00051, 4.0.00057, 4.0.00061, 4.0.02052	Only affects users with macOS 10.15.x or later

Defect Information

Defect ID	Headline
CSCvq59308	MAC 10.15 : Hostscan 4.8 is failing with error " Posture Assessment Failed "
CSCvq11813	32 bit hostscan causes "This application is not optimized for your Mac " error with anyconnect 4.7

Problem Description

When used with macOS Catalina 10.15.x, VPN connections will not be established with some versions of Cisco AnyConnect Secure Mobility Client and some versions of the HostScan package.

Background

HostScan provides the AnyConnect Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host.

In macOS Catalina 10.15.x and later, the operating system will no longer support execution of 32-bit binaries, which are included in HostScan packages 4.3.x and earlier. As a result, AnyConnect Client end-users who attempt to connect from macOS Catalina to a Cisco Adaptive Security Appliance (ASA) head-end that runs HostScan package 4.3.x and earlier will not be able to successfully establish VPN connections. Cisco AnyConnect 4.8.00175 is the first version that officially supports operation on macOS Catalina and contains no 32-bit code.

Problem Symptom

If a device that runs the macOS Catalina release attempts to connect with an ASA head-end that runs HostScan package 4.3.x and earlier, this “Posture Assessment Failed: Hostscan CSD prelogin verification failed” pop-up warning message appears:

Additionally, during the first launch of AnyConnect HostScan, SystemScan, and DART modules on macOS Catalina 10.15.x, one-time-only file access request pop-up messages might appear. For further information, refer to the AnyConnect Client 4.8 Release Notes.

Workaround/Solution

Solution

For macOS Catalina 10.15.x users to successfully establish VPN connections using AnyConnect Client with HostScan, these three steps must be performed:

HostScan package on the ASA head-end must be migrated to HostScan 4.8.00175 or later.
If you migrate from HostScan 4.3.x to 4.8.00175 or later, the Dynamic Access Policy (DAP) policies must be updated to the new DAP policy definitions introduced in 4.6.x. For additional information, refer to the AnyConnect HostScan Migration 4.3.x to 4.6.x and Later document.
AnyConnect Client must be upgraded to 4.8.x or later.

Workaround

If an upgrade to HostScan package 4.8.00175 or later is not an option, administrators of systems with HostScan package 4.3.x and earlier can disable HostScan on their ASA head-end in order to restore VPN connectivity. If disabled, all HostScan posture functionality and dynamic access policies (DAPs) that depend on endpoint information will be unavailable.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

AnyConnect Secure Mobility Client v4.x