VMware vCloud Network & Security Edge – SSLVPN and Mountain Lion Troubles


October 12 2016 Update – Yosemite & El Capitan:

Wow, its been 3 years since posting this thing and it still gets quite a few hits.  The problem did get worse with Yosemite due to required code signing, however VMware corrected the problem with the naclient that was bundled in NSX 6.1.3.  If you have the naclient installed before upgrading to El Capitan it also works, in my limited testing.  I have heard that trying to install it on El Capitan may encounter issues due to a similar version table as noted below, I have not had a chance to test it on clean install and only tested for Yosemite to El Capitan upgrades.


 

 

The addition of client oriented VPN to the vCNS “Edge” (formerly vShield Edge) is a big win, however anyone that attempts to use the product on the current shipping version of Mac OS X will find that it fails to install.  We are using the SSLVPN heavily for a project and encountered this, I decided to dig into the details.

Within the OSX system logs you will find lots of useless errors, ultimately you want to get to the installer errors themselves.  If you open Console.app and look at the /var/log/install.log (or do so from CLI) you will see this error:

installd[4110]: PackageKit: —– Begin install —–
installd[4110]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
installd[4110]: PackageKit: packages=(
“PKJaguarPackage <file://localhost/Volumes/BigFast/Downloads/naclient.pkg>”
)
installd[4110]: PackageKit: Extracting file://localhost/Volumes/BigFast/Downloads/naclient.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/Cleanup At Startup/PKInstallSandboxManager/1.sandbox/Root, uid=0)
installd[4110]: PackageKit: prevent user idle system sleep
installd[4110]: PackageKit: suspending backupd
installd[4110]: PackageKit: opt/sslvpn-plus/naclient/naclient.app relocated to Applications/naclient.app
installd[4110]: PackageKit: Executing script “./preinstall” in /Volumes/BigFast/Downloads/naclient.pkg/Contents/Resources
install_monitor[4115]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
install_monitor[4115]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
installd[4110]: PackageKit: releasing backupd
installd[4110]: PackageKit: allow user idle system sleep
installd[4110]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 “An error occurred while running scripts from the package “naclient.pkg”.” UserInfo=0x7fc30b425a80 {NSFilePath=./preinstall, NSURL=file://localhost/Volumes/BigFast/Downloads/naclient.pkg, PKInstallPackageIdentifier=com.vmware.sslvpn, NSLocalizedDescription=An error occurred while running scripts from the package “naclient.pkg”.} {
NSFilePath = “./preinstall”;
NSLocalizedDescription = “An error occurred while running scripts from the package \U201cnaclient.pkg\U201d.”;
NSURL = “file://localhost/Volumes/BigFast/Downloads/naclient.pkg”;
PKInstallPackageIdentifier = “com.vmware.sslvpn”;
}
Installer[4097]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 “An error occurred while running scripts from the package “naclient.pkg”.” UserInfo=0x7f9c8536ce10 {NSFilePath=./preinstall, NSURL=file://localhost/Volumes/BigFast/Downloads/naclient.pkg, PKInstallPackageIdentifier=com.vmware.sslvpn, NSLocalizedDescription=An error occurred while running scripts from the package “naclient.pkg”.}
Installer[4097]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.
Installer[4097]: IFDInstallController 83028370 state = 7
Installer[4097]: Displaying ‘Install Failed’ UI.
Installer[4097]: ‘Install Failed’ UI displayed message:’The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.’.
installd[4110]: installd: Exiting.

This error is really not useful, but by looking within the installer package itself I could see that it is using /tmp/naclient_install.log for the install scripts themselves.  Within this log there is a bit more clue as to why it failed:

/tmp/naclient.pkg/Contents/Resources/preinstall: kernel version mismatch
/Volumes/BigFast/Downloads/naclient.pkg/Contents/Resources/preinstall: kernel version mismatch
/Volumes/BigFast/Downloads/naclient.pkg/Contents/Resources/preinstall: kernel version mismatch

In order to fix this you need to define the Mountain Lion kernel as being valid.  To do this, instead of installing the SSL VPN client from the web interface select to download the zipped file.

Extract the contents of the file and you will have a “naclient.pkg” file.  Like many “files” on OSX, this is actually just a special directory…you can either access the contents via CLI or right-click (or Ctrl-Click) and select to “Show Package Contents”.

If we look at the installation scripts themselves (with the arrows above) we find that the scripts are running a uname command to determine OS version:  uname -r | cut -d. -f1

We can also see that they were nice enough to support all the way back to Panther (released in 2003) but that there is no definition for Mountain Lion.

If we execute this command on Mountain Lion the response is “12”, however “12” is not defined as a valid kernel version.  The reality is that Mountain Lion is close enough for most apps to be considered “Lion”, so we will add this definition just the same as for Lion itself.

We will edit the 4 files that are indicated with the arrows, these are shell scripts and you can edit them with your text editor of choice, all 4 files need to be edited exactly the same just adding a definition for Mountain Lion.

Save your changes to all four files including “postinstall”, “postupgrade”, “preinstall”, and “preupgrade”.

Browse up the directory structure until you see the naclient.pkg and run the installer again.

***** Yosemite Update ******

Any of you that have upgraded to Yosemite may find that you cannot connect to the VPN afterword, it fails to establish a connection with an error somewhat like this:

SSL_VPN-Plus_Client_-_Login

In order to fix this here are the steps I took (PROCEED AT YOUR OWN RISK):

  1. Unistall NAclient:  sudo /opt/sslvpn-plus/naclient/uninstall.sh
  2. Enabled developer mode for Kext insertion:  sudo nvram boot-args=”kext-dev-mode=1″
  3. Rebooted
  4. Installed the NAclient again

I owe thanks to @jakerobinson for this as he actually found the solution.

***** Yosemite Update 01-07-2014 ******

Unfortunately it is not possible to get the naclient to run in any reliable fashion on Yosemite.  I have spent a lot of time on this and ended up using a Mavericks VM in Fusion to get the client to work for the day job.

naclient is dependent up on some kexts to load at system boot, however the method invoked to start these has been deprecated for multiple major releases of OS X and were removed in Yosemite.  The problem extends beyond the lack of signing, it is another example of VMware failing to support OS X even as the company issues Apple systems to a large number of employees and all new systems come with Yosemite pre-installed.

I will try to find time to write up my work around, it uses a VM but allows me to use that VM as a very heavy VPN client but I am able to use my (limited) apps in Yosemite as I normally would.

***** El Capitan 10.11.1+ Update 11-19-2015 ******

Rather than keep adding content to this post, I created  new blog post with the work around for OS X El Capitan and it can be found here.

Advertisements

21 thoughts on “VMware vCloud Network & Security Edge – SSLVPN and Mountain Lion Troubles

    1. Thanks for the feedback, I haven’t braved upgrading to Mavericks yet but I am not surprised that 10.9 isn’t included in the acceptable install version.

    2. Yes, it also works in Mavericks. Thanks!!
      I added:
      13)
      LEOPARD_MACOSX=1
      SNOW_LEOPARD=1
      LION_OSX=1
      MOUNTAIN_LION_OSX=1
      MAVERICKS_OSX=1
      TAPDIR=$DIR/10.4/$ARCH
      ;;

    1. I actually just encountered this and have a fix. I have only tested this with the NAclient for NSX 6.1 and it isn’t without risk. I will update it in the post itself.

    1. I posted the fix for Yosemite at the bottom of the original content..however I am finding that you may have to uninstall and re-install the client after reboots in order to get it to work again. I am still doing more testing on this.

    1. Unfortunately I have not found a reliable work around, I am happy to say that it is being investigated. The naclient relies on a service daemon to start on boot, however the location it used to start those services are not utilized on Yosemite. Let me try to do some testing on this today to see if I can get it to work reliably or not, thankfully I have a Yosemite VM so I can reboot frequently to test it without disrupting my day job.

  1. Unfortunately any solution for Yosemite is short lived, the temporary work around now fails for me with 10.10.1. The problem is much greater than it originally as as the tap.kext fails to load entirely at this point, if the kext will not load nothing else matters.

    The original problem that caused the client to work until a reboot was that VMware continues to use depecrated features of yore. It is apparent that VMware has not maintained the SSLVPN.

    1. Did you finally get it working on version 10.10.1 ? I have 10.10.2 and disabling the kext signing verification doesn’t change anything for me. I tried to dig into it but didn’t find anything relevant.

      1. Unfortunately, no. It is not practical or feasible to get this working in Yosemite. The naclient is dependent upon some services/kexts to load at boot, the problem is that the naclient uses deprecated methods to start those services…these methods have been deprecated for multiple major releases of OS X. I have not found any successful way to get these components to load on boot in any repeatable fashion.

        I will try to get time to write up my work around, its very “heavy” from a VPN client perspective but works for me.

    1. You have to deploy a new version of NSX Manager and a new Edge in order to get the build that will work with Yosemite, it should be fixed in version 6.1.3 and later. This new version works with 10.10.4 as well.

    1. If you have naclient from an NSX Edge version 6.1.3 or later installed prior to upgrading to El Capitan it will work fine, in my limited testing. The problem is a clean install on a El Capitan system may run into issues. I haven’t had a chance to finish testing that, as the initial focus was for upgrades. I will update the article to include this info so it is easier to find it.

Contribute to the discussion

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s