How to Repair the Cisco VPN Client

At work we use the Cisco VPN servers because they are one of the only products which have clients available for Mac, Linux and Windows (crappy "SSL VPNs" do not count). By and large the client works pretty well but occasionally I end up in a situation where the client refuses to start, it mostly seems to happen when I'm changing network settings or coming out of sleep on my laptop.

The symptom is that when you try and start the Cisco VPN client you get a popup window that says:

Error 51: Unable to communicate with the VPN subsystem.
Please make sure that you have at least one network interface that is currently active 
and has an IP address and start this application again.

If you try and connect using the command line tool, the error looks like this:

overkill(shand)$ sudo /usr/local/bin/vpnclient connect XXXXXXXX                   
Cisco Systems VPN Client Version 4.9.01 (0080)
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 9.2.0 Darwin Kernel Version 9.2.0: Tue Feb  5 16:13:22 PST 2008; root:xnu-1228.3.13~1/RELEASE_I386 i386
Config file directory: /etc/opt/cisco-vpnclient

Could not attach to driver. Is kernel module loaded?
The application was unable to communicate with the VPN sub-system.

If you try and manually restart the cvpnd daemon you get this:

overkill(shand)$ sudo /private/opt/cisco-vpnclient/bin/cvpnd
setsid error
Could not attach to driver. Is kernel module loaded?

On the Mac there are several things you can try to fix this, here they are in order of increasing annoyance (thanks to this thread at macosxhints.com for some of these suggestions):

  1. Try again, often it works the second time you try and run it.

  2. If you have more then one location setup in your network preferences change your location to something different and then change it back again.

  3. Disable the fw0 interface. This recommendation came via the thread which Nathan sent me (see below) and may only apply to people who have had Parallels installed at one point (it just saved me from a reboot and I uninstalled Parallels months ago):

    overkill(shand)$ sudo ifconfig fw0 down
    
  4. Restart the Cisco VPN driver:

    overkill(shand)$ sudo SystemStarter restart CiscoVPN
    Stopping Cisco Systems VPN Driver
    kextunload: unload kext /System/Library/Extensions/CiscoVPN.kext succeeded
    Starting Cisco Systems VPN Driver
    kextload: /System/Library/Extensions/CiscoVPN.kext loaded successfully
    
  5. Reboot your computer. :-(

I've been doing a bunch of testing this afternoon so I've been swapping between public and private IPs and have run into this problem several times. I'd been having good luck with the changing locations trick and thought that was going to be my magic bullet going forward. However, as I'm writing this up I've ended up in a situation where none of step 1 - 3 will resolve the problem, and I really don't want to reboot.

So I guess I'm not as clever as I thought, if anyone has any other tricks to fix this I'd love to know!


Update (5 Apr 08): An old friend Nathan Vonnahme pointed me at this thread which has some other recommendations in the comments.

The ones that seem most worth investigating are "ifconfig fw0 down" (especially if you run Parallels) and making sure that all interfaces are disabled in "System Preferences - Sharing - Internet Sharing".