Cisco Umbrella is aware of an issue that may affect macOS 12 machines running the Cisco Umbrella Roaming Security Module for DNS coverage.
This affects machines running Cisco AnyConnect alongside another system extension such as the transparent proxy provider. As a result, TCP sockets become exhausted (see identification below). The impact is an interaction with the macOS system extension framework, and a framework fix is required.
We recommend taking extra precautions to verify your individual macOS 12 environment prior to upgrading to macOS 12 while using the Roaming Security Module or any other software that makes use of the macOS DNS Proxy Provider system extension. A patch is expected in macOS 12.3, currently in Beta.
The impacts of this issue include temporary loss of DNS or a need to reboot or re-initialize the AnyConnect software to restore functional DNS responses to the system. Users of AnyConnect SWG are also impacted as a result of every new web connection requiring a DNS request to the SWG server hostname in order to direct the web request without added latency. SWG will remain functional; however, a failover to the Umbrella TCP Anycast IP is included; however, this will add 1-4 seconds of latency for each connection.
This affects a small number of macOS users in an intermittent nature, most severely on macOS 12 and most commonly impacts users with another active software making use of macOS system extensions - particularly on M1 machines. Specific environmental conditions may cause more widespread impacts.
Impacted workstations can be verified to be affected by a system issue when UDP or TCP sockets are excessively high. The following commands may be issued to list bound socket ports.
netstat -Anxv -p udp | wc -l
netstat -Anxv -p tcp | wc -l
A very large number in the thousands or higher indicates an exhaustion event is likely and the workstation is affected by this known issue. For UDP, a fix is on the way in macOS. For TCP, some issues will require macOS 12.4 while others may be resolved in an upcoming AnyConnect release.
For UDP exhaustion causes, a fix in macOS is required. These are expected by 12.4.
For TCP exhaustion cases that occur randomly, AnyConnect will have a fix in the next release. This is expected to be an upcoming 4.10 MR5 patch release.
For TCP exhaustion cases that occur after connecting to a non-AnyConnect VPN, a fix is expected in macOS 12.4.