Catalina Anyconnect



Mar 29, 2021 Download the AnyConnect VPN client for macOS 11.0 (Big Sur), macOS 10.15 (Catalina), or macOS 10.14 (Mojave). In your Downloads folder, double-click the file you just downloaded to open it. An icon will appear on the desktop called AnyConnect, and a separate window will open. Aug 29, 2019 Cisco AnyConnect 4.8.00175 is the first version that officially supports operation on macOS Catalina and contains no 32-bit code. The Snap version of Firefox is not supported by AnyConnect on Linux. Mozilla's Firefox is the officially supported browser on Linux. AnyConnect HostScan Migration 4.3.x to 4.6.x and Later. Beginning with macOS Catalina release (10.15.x), the operating system will no longer support executing 32-bit binaries, which are included in HostScan package 4.3.x and earlier. The 'UCI' Group is a 'split tunnel' versus the 'UCIFull' Group which is a full tunnel. The 'UCI' Group is useful for staff & faculty who need access to some online resources while off campus (e.g. Their work computer in their office) but don't need to tunnel all of their traffic through the VPN. Para MacOS Big Sur Cisco AnyConnect Secure Mobility 4.9.05042 Para MacOS Catalina Cisco AnyConnect Secure Mobility 4.8.03036; Para Mac Leopard o versiones anteriores Vpn Client.

If you need to connect to UCInet from off campus, the Virtual Private Network (VPN) is the solution for you. The VPN allows you to securely connect to vital campus resources like the UCI Libraries and KFS (Kuali Financial System) by encrypting the information you are sending over the network, protecting your data. In addition, it enables authorized users to mount network file shares from off campus.

Special Instructions during COVID-19 Pandemic: To help balance the load of increased remote access needs, we now have multiple VPN servers for different purposes. Please take the following into consideration when connecting:
(1) If you require VPN access to connect to resources that are hosted on UCI campus, use the Software VPN and enter vpn2.uci.edu in the Ready to Connect field, then choose Default-UCI as the Group. Only if connections to this server are unavailable, should you then try vpn.uci.edu as an alternative.
(2) If you require VPN access to connect to resources that are hosted off campus but require a UCI IP address(i.e. Libraries' licensed online resources), use the Software VPN and enter vpn.uci.edu in the Ready to Connect field, then choose UCIFull as the Group.
(3) If you require VPN access to connect to some compatible web resources that are hosted off campus but require a UCI IP address, you can also use the WebVPN by going to https://vpn.uci.edu and choose WebVPN as the GROUP.
(4) If you use cloud-based or campus resources that don't require VPN to access, please don't connect to the VPN.

3 Ways to Access the VPN

Software VPN

Download, install and configure the Software VPN Client

  • macOSRecommendedVersion 10.14 Mojave or newer - see below for more details)

VPN Software Version

As of December 7, 2020, the current versions of the Cisco VPN client are as follows:

  • macOS
    • 4.9.04043 (for Big Sur, 11.0)
    • 4.9.03047 (Catalina, 10.15)
    • 4.9.00086 (for Mojave, 10.14)
  • Windows
    • 4.9.00086 for Windows 10 desktop and laptop users
    • 4.9.00086 for Microsoft Surface Pro X users (the Pro X version uses an ARM-based processor).
  • Linux
    • 4.9.00086 (64-bit only)

Notes for macOS users: During the installation, you will be prompted to enable the AnyConnect software extension in the System Preferences -> Security & Privacy pane. The requirement to manually enable the software extension is an operating system requirement.

Peer-to-peer file sharing services and other high-bandwidth applications should not be used while using the VPN service. You may be automatically blocked from using the VPN if your bandwidth exceeds the maximum bandwidth limit.

iOS, Android, Chromebook

  • How to install, configure & use the VPN Software

WebVPN

Need to access a UCI only website? Use the WebVPN. If you need to use an application, try the VPN Software option.
  1. Login to the WebVPN
    • Make sure to change the GROUP to WebVPN

VPN FAQ

I'm having trouble accessing certain online journals or resources while using the VPN.

There are two specific reasons why this may happen to you:

  1. You're using the WebVPN
  2. You're using the Software VPN but didn't connect using UCIFull.

Access to all of the library's online resources is restricted to the UCI IP network address space, so the only way to truly simulate as if you were working on campus is to use the 'UCIFull' Group setting when you first login using the Software VPN.

When you choose UCIFull, all of your off-campus traffic passes through the VPN, so from the point of view of the library's online resources, it's as if you're on campus. This is important because many of the online resources (such as JSTOR) are behind paywalls, and anyone trying to access those resources from off campus will need to pay to access them. The UCI IP network is whitelisted so you don't have to pay.

When you use the UCI Groupsetting, your home network won't use the VPN tunnel unless you're visiting a UCI website. So, when you visit a non-UCI site like JSTOR, it'll appear as if you're connecting from off-campus and you'll be paywalled.

The WebVPN is a fast, convenient way to access some of the library's online resources from off-campus simply by using a web browser; however, due to technical limitations of SSL (or browser-based) VPNs that are beyond the scope of this article, you will NOT have unfettered access to everything as you would if you were using one of the library computers or using your own computer on our campus network.

OIT's scope of support is ensuring you're able to login to the VPN. If you're logged in and using the UCIFULL tunnel but are still having trouble accessing or using certain journals, please visit https://www.lib.uci.edu/ask-librarian-reference-services. The UCI Libraries Reference Services Team are best equipped to assist you with these issues.

Why then are there two 'UCI' Groups to choose from in the Software VPN?

The 'UCI' Group is a 'split tunnel' versus the 'UCIFull' Group which is a full tunnel.

The 'UCI' Group is useful for staff & faculty who need access to some online resources while off campus (e.g. their work computer in their office) but don't need to tunnel all of their traffic through the VPN. There may be some personal or non-university business that you'd prefer not to be routed through the VPN. If you're using your computer to do some work but are also streaming a movie from Netflix, for example, you don't want the Netflix movie to stream through the VPN tunnel.

For one, the encrypted tunnel isn't as fast so your streaming will certainly lag, and now you're consuming too much network bandwidth by streaming a film through our encrypted network, which could actually lead to you being blocked. The VPN is to be used for university business only.

If you have tried everything above, and you are still unable to access a specific resource (and other resources work fine), then you may want to contact the UCI Library to verify that the resource is a part of their catalog.

I'm having trouble using the WebVPN

If you’re having trouble logging in to the WebVPN (https://vpn.uci.edu):

  • Make sure the Group is WebVPN
  • Make sure you enter your UCInetID in all lowercase (UPPERCASE will not work).
  • Try using a different web browser.
  • If you’ve forgotten your UCInetID password, you can reset it here.

If you’re still having trouble, wait about 30 minutes and try again, or try from a different location.

Once you're in the WebVPN, here are instructions on how to navigate the system (including how to visit other websites).

Note: PubMed have made changes to their site layout, and as a result it does not function properly in the WebVPN. There is no way to fix this issue, so please use the Software VPN instead.

Anyconnect

I'm having trouble using the Software VPN

Login Trouble

If you’re having trouble logging into Cisco AnyConnect (aka the Software VPN), make sure you've carefully followed the steps provided for your operating system under the 'Software VPN' tab on the main VPN page. In particular:

  • Enter the correct hostname vpn.uci.edu and then click Connect.
  • When prompted, make sure you've selected the correct Group (IMPORTANT: use UCIFull if you want to access UCI Library resources from off-campus).
  • Make sure you enter your UCInetID in all lowercase (UPPERCASE will not work).
  • If you’ve forgotten your UCInetID password, you can reset it here.

If you're still having trouble, it's possible that you may be blocked due to a DMCA complaint. Learn how to get unblocked.

Error Messages

We have a list of common error messages in the next section.

What are some common error messages when using the Software VPN?

The most common errors that our users see are:

  • 'Login failed'
  • 'AnyConnect was not able to establish a connection to the specified secure gateway'
  • 'The VPN client agent was unable to create the interprocess communication depot'
  • 'Login Denied. Your host does not meet the requirements to connect. Visit wiki page...'
  • 'The VPN connection failed due to unsuccessful domain name resolution'
  • 'MTU size too small'
  • 'On my Mac, some of the options are grayed out during installation or I'm getting the error 'a newer version is already installed'

I have a red circle inside the AnyConnect icon on the status bar - Roaming Security: You are not currently protected by Umbrella. Profile is missing.

OIT does not offer any of the extra 'protections' offered by Cisco that come bundled in the installer, which is why you're getting that false positive from the 'Roaming Security' feature when you run the client.

To fix this issue, uninstall the Cisco client for Mac (using the built-in uninstaller located in the /Applications/Cisco folder). After you restart your computer, download the Cisco VPN client and run the install again, only this time uncheck *all* the boxes in the installer except for the main VPN.

My VPN connection keeps dropping

Persistent connection drops are generally an issue on the network between you and UCI. The best place to start is by power-cycling everything between you and your ISP - your computer, router, cable modem (or whatever device connects you to your internet provider)

If the problem persists, completing the steps below will provide us with additional information needed to troubleshoot further.

Windows

  1. Open Command Prompt
  2. Enter the following: tracert -d vpn.uci.edu

Mac / Linux

  1. Open Terminal
  2. Enter the following: traceroute -n vpn.uci.edu

Once run, you can either screenshot or copy & paste the results of these commands in an email to oit@uci.edu

Catalina

Why are older versions of macOS not supported?

Apple officially supports/provides security patches for the current OS version (macOS 11 Big Sur) plus the previous two, so our recommendation is that you upgrade to at least macOS 10.14 (Mojave). Your system could be vulnerable to attacks that are fixed in newer releases, and your system could be compromised and used to attack other systems (and possibly used to attack UCI when you are using the VPN).

In addition, there are bug fixes and security updates to the VPN client that necessitate it being updated to fix problems other users are having and to prevent security issues with older clients.

If you're running an older version than the ones mentioned above, please update your operating system. Faculty and staff should partner their with their local CSC, and students should reach out to AntTech for assistance.

The OITHD cannot assist with OS upgrades, and we cannot implement any changes to the network to get your computer to connect to the VPN. We apologize for the inconvenience. You may continue to use the WebVPN at https://vpn.uci.edu

Are there other VPNs besides vpn.uci.edu?

Yes. There are numerous departmental VPNs that are managed by the OIT Security Team and are restricted to those department's employees. Unlike vpn.uci.edu, access to those VPNs is restricted to certain staff members whose computers must meet very high security requirements.

In addition, some departmental VPNs may require you to use Duo two-factor authentication. Learn more about Duo.

If you're having trouble accessing your department's VPN, consult this FAQ article. If you're still having trouble, please partner with your school's CSC or if you work for OIT, you may open a ticket with us.

I need to access FACNet but am having trouble logging in to the VPN.

OIT provides desktop support for the Facilities Management department, which oversees the massive network of HVAC and other mission-critical environmental systems across campus. Access to the Facilities Network (or 'FACNet') is restricted with its own VPN, Duo 2-factor authentication and separate login credentials.

If you are a Facilities employee or third-party contractor/outside vendor having trouble accessing FACNet, please open a ticket with our Desktop Support team.

What are the VPN timeouts and limitations?

Timeouts
Once you bring up your VPN client and initiate a connection, you will remain connected as long as you’re actively using it. If the connection is idle for one hour, it will “timeout”. If you are not going to use your computer, it is best to take down the connection yourself, to free-up a tunnel for someone else to use. In either case, when you later come back to your computer you will need to re-initiate a connection if you still need to use the VPN.

Limitations
There is a limit of 2 VPN tunnels which may be simultaneously established under one UCInetID.

The campus VPN provides off-campus users access to university resources not normally available to remote users and is thus a critical resource. The VPN appliance handles connections for all users through the same interface. Users of bandwidth-intensive applications that are not related to the University’s academic mission can detrimentally impact other users on the VPN.

For this reason, peer to peer (p2p) file sharing programs (as well as internet gaming and other recreational, high-bandwidth applications) are not allowed on the VPN.

What are the VPN IP Addresses?

For those of you who would like to allow or restrict access from VPN users, here are the possible address ranges that VPN users will be using.

  • 128.195.64.100 - 128.195.79.254
    • CIDR Format: 128.195.64.0/20
  • 128.195.80.0 - 128.195.83.254
    • CIDR Format: 128.195.80.0/22
  • 172.23.0.0 - 172.23.15.254
    • CIDR Format: 172.23.0.0/20

Do I need to use the VPN while I'm living in one of the on-campus housing communities?

If you live in one of the ACC communities, then you are technically not on UCI's network and will need to use the VPN. If you live in any other housing community, then you do not need to use the VPN.

I've tried the steps above and I'm still having issues

We recommend you continue your search in our comprehensive ServiceNow Knowledge Base.

If you're still having trouble, feel free to open a ticket. When doing so, please provide the following:

  • Your full name
  • Your UCInetID (the first part of your email address, not your ID number)
  • A detailed description of the issue

Uninstall Anyconnect Catalina

Failure to provide this information will delay our response.

Catalina Anyconnect Login

Return to the OIT Help Center.

Catalina Anyconnect

On This Page
Release Downloads
Verifying Downloads
User Contributions
Download Integrity
Downloading and Installing on macOS Mojave and Higher

Release Downloads

To be notified of new releases, use Tunnelblick's built-in update mechanism or subscribe to the Tunnelblick Announce Mailing List.

Beta versions are suitable for many users. See Stable vs. Beta for details.

As a Free Software project, Tunnelblick puts its users first. There are no ads, no affiliate marketers, no tracking — we don't even keep logs of your IP address or other information. We just supply open technology for fast, easy, private, and secure control of VPNs.

BetaTunnelblick 3.8.6beta03(build 5700, macOS 10.10+, (mixed Intel-64, M1), notarized) released 2021-04-22 Release Notes
SHA1: 24787eb0a1b3f0692cba8f4d27ed2b00a64867a6 MD5: c77747cceeddd8c14794a893eed15c2c
SHA256: de0f6d24cbc45650c1789f6963f7b454099e6cd9a00ec067178977614415d256
GnuPG v2 signature
StableTunnelblick 3.8.5a(build 5671, macOS 10.10+, (mixed Intel-64, M1), notarized) released 2021-04-21 Release Notes
SHA1: 9e6bb2717f0924fdf2fed306fe40837170b2d1ba MD5: ecaad1485e2691343ecb2c6ade161cbd
SHA256: 88f8cd776bf237a8b1c72531cf44bf7440e3bb4f94b16a77747351014c2de3a7
GnuPG v2 signature
OlderSee the Deprecated Downloads page. Includes versions for OS X 10.4 - 10.7.4.
UninstallerThe Tunnelblick Uninstaller has been replaced by an 'Uninstall' button on the 'Utilities' panel of Tunnelblick's 'VPN Details' window as of Tunnelblick 3.8.5beta02.
Please read Uninstalling Tunnelblick before using Tunnelblick Uninstaller.
Tunnelblick Uninstaller 1.12(build 5090, macOS and OS X 10.7.5+, Intel-64 only, works on M1 using Rosetta) released 2018-06-26 Release Notes
SHA1: c4503360e032877e1ab0c2742872250c646ba983 MD5: 0b8c3f0898ca88f4bbe90fe61271d7ab
SHA256: 62b528da3212fd78146c6bcf03d88f4f8653845068b61f4f62029a3af791ef42
GnuPG v2 signature

Verifying Downloads

You should verify all downloads. Even though https:, the .dmg format, and the application's macOS digital signature provide some protection, they can be circumvented.

Verifying Hashes

Comparing the SHA256, SHA1, and MD5 hashes of your downloaded file with the official published ones will provide additional assurance that the download is legitimate and has not been modified. You can compare the hashes with programs included with macOS without the need to install additional software.

To compute the hashes of a file you've downloaded, type the following into /Applications/Utilities/Terminal:

shasum -a 256path-to-the-file
openssl sha1path-to-the-file
openssl md5path-to-the-file

Then compare the computed hashes with the values shown near the link for the downloaded file.

(Don't type 'path-to-the-file' — type the path to the file, that is, the sequence of folders that contain the file plus the file name (e.g. /Users/janedoe/Desktop/Tunnelblick_3.7.2a_build_4851.dmg). An easy way to get it into Terminal is to drag/drop the file anywhere in the Terminal window. The pointer will turn into a green and white plus sign ('+') to indicate the path will be dropped. So you would type 'shasum -a 256 ' — with a space after the '256' — and then drag/drop the disk image file anywhere in the Terminal window.)

For additional assurance that the hashes displayed on this site have not been compromised, the hashes are also available in the description of each 'Release' on Tunnelblick's GitHub site, which is hosted and administered separately from this site.

Verifying GnuPG Signatures

Recent Tunnelblick disk images are also signed with GnuPG version 2.

To prepare for verifying signatures, you should download and install GnuPG 2.2.3 or higher, and then add the Tunnelblick Security GnuPG public key (key ID 6BB9367E, fingerprint 76DF 975A 1C56 4277 4FB0 9868 FF5F D80E 6BB9 367E) to your trusted GnuPG keyring by typing the following into /Applications/Utilities/Terminal:

gpg --import TunnelblickSecurityPublicKey.asc.

To verify the signature of a file, download the corresponding signature file and then type the following into /Applications/Utilities/Terminal:

gpg --verify path-to-the-signature-filepath-to-the-disk-image-file

The result should be similar to the following:

gpg: Signature made Sat Dec 16 19:17:03 2017 EST
gpg: using RSA key B4D96F0D6A58E335A0F4923A2FF3A2B2DC6FD12C
gpg: Good signature from 'Tunnelblick Security <tunnelblicksecurity@protonmail.com>' [ultimate]

User Contributions

These downloads have been contributed by users and usually help deal with special circumstances. They are not endorsed or checked by the Tunnelblick project, and you use them at your own risk. To contribute a download, send it to the developers or post it on the Tunnelblick Discussion Group.

Before using these scripts, please read Tunnelblick and VPNs: Privacy and Security. (Actually, everyone using a VPN should read that!)

Note: these scripts are executed as root.Instructions for using scripts.

Scripts to Unload Cisco Tun Kext: user-contributed-001-pre-post.zip
SHA1: d3b09a2284de2862be7d55059581a85698930b28 MD5: f6f484864697607ee5c7206a5b056b12
Contributed by 'petiepooo'.
These scripts unload the Cisco AnyConnect tun kext before a Tunnelblick connection is started, and reload the Cisco tun kext after a Tunnelblick connection is stopped. (The Cisco kext interferes with Tunnelblick's operation of tun connections.)
Scripts to Mount/Unmount a Volume: user-contributed-002-mount-unmount-volume.zip
SHA1: eb69727620fa8c46633d9ccf9f86c4b258fea7e6 MD5: 5b3b04bea43403b2a709aaa4c92d7473
Contributed by John Griffis.
These scripts mount a volume after a configuration is connected and unmount it when the configuration is disconnected. Scripts must be edited before use (in any plain-text editor) to specify details of the volume to be connected. For a note about connecting to a CIFS account, see this discussion.
Scripts to Monitor Connection Time and Bandwidth Use: user-contributed-003-monitor-uptime-and-bandwidth.zip
SHA1: 384b370967e722eacb2f3a782e8c326d87174003 MD5: 2c23ed5c31a1238843fb5ea36fd5dd74
Contributed by 'vkapovit'.
These scripts provide a mechanism for the user to be alerted when the VPN has been up for more than 20 minutes or when bandwidth has exceeded 100MB. See this discussion for details. Requires Growl.
Includes compiled binaries; use at your own risk.
Scripts to Launch and Kill a Program: user-contributed-004-launch-kill-program.zip
SHA1: 977aa7cc55f3e191b50057fe766c426af01808eb MD5: beccc55286b398fe0a8bcb798e25a883
Contributed by 'anonymous'.
These scripts cause a program to be launched when a VPN is connected and then killed when the VPN is disconnected. It can be used with a torrent program, for example, so that the program is only active when the VPN is connected.
Note that there may be a short time after the VPN has been disconnected before the program is killed.

Download Integrity

In June 2015 there was much discussion (and outrage) about SourceForge providing downloads that contain unwanted or malicious software; SourceForge has changed their policies to help avoid this. Tunnelblick binaries were hosted on SourceForge from the fall of 2013, when Google Code stopped hosting new binaries, until 2015-07-17, when they were moved from SourceForge to GitHub.

Tunnelblick protects against unwanted software insertions by publishing the SHA1 and MD5 hashes for each of our downloads. You should verify the hashes of all Tunnelblick downloads by following the instructions above.

Additional safeguards automatically protect updates performed by Tunnelblick's built-in update mechanism:

  • Updates are controlled by tunnelblick.net and all update data is transported via https:
  • Update downloads contain digital signatures to verify they have not been modified. (This is in addition to the macOS digital signature of the Tunnelblick application itself.) See Digital Signatures.

Downloading and Installing on macOS Mojave and Higher

When you install any application, including Tunnelblick, after it has been downloaded normally, macOS Mojave and higher send information to Apple (they 'phone home'). macOS Catalina and higher also 'phone home' each time you launch any application, including Tunnelblick.

These behaviors are considered by some to be a violation of privacy.

You can avoid these behaviors, but you will be disabling security checks which macOS would normally do on a downloaded program, including checks that the program is correctly notarized and has been found to not contain malware.

To avoid having macOS Mojave and higher 'phone home' when you install Tunnelblick, you can do the following to download Tunnelblick to your Desktop:

  1. Open the Terminal application located in /Applications/Utilities.
  2. Type (or copy/paste) 'curl --output ~/Desktop/Tunnelblick.dmg --location ' into Terminal without the quotation marks (the space after '--location' is important).
  3. In your browser, instead of clicking on the link to download Tunnelblick, Control-click the link and select 'Copy Link' (Safari), 'Copy Link Location' (Firefox), or 'Copy Link Address' (Chrome).
  4. Click in the Terminal window to select it for input, then Paste (Command-V). A URL starting with https://tunnelblick.net/release/ should appear after the '.dmg '.
  5. Press the enter/return key on the keyboard.
  6. You will see two or more progress bars showing the timing of downloads [1].
  7. Verify the download.
  8. Double-click the downloaded Tunnelblick disk image file on your Desktop to open the Tunnelblick disk image, then double-click the Tunnelblick icon in the window that appears to install Tunnelblick.

This will download the file to your Desktop without the flag that indicates the file was downloaded from the Internet. When that flag is present, macOS Mojave and higher 'phone home' when the downloaded file is double-clicked to install it; when the flag is not present, macOS Mojave doesn't.

To avoid having macOS Catalina and higher 'phone home' when you launch Tunnelblick (or other applications), see How to run apps in private.

[1] Tunnelblick downloads are redirected from the tunnelblick.net website to GitHub, which may redirect them further. Typically one or more tiny downloads (a few hundred bytes each) provide information about the redirection, and the final larger download is the desired file.





Comments are closed.