The process com.cisco.anyconnect.macos.acsockext hogs Mac CPU but cannot be killed or stopped from launching

Question

MacBookPro16,1 running Big Sur 11.3.1 (20E241)

This job consumes huge amounts of CPU off and on (see attached image from my Activity Monitor), often causing my laptop fans to engage to cool the processor. This is generally when the App itself (Anyconnect) is not running. The program launches automatically and relaunches every time I kill it, restart, etc. I have tried fancier things like removing the Cisco elements from launch directories etc, but it does not have any effect.

There are several discussions online about this problem, but none of the proposed solutions have helped me:

Stop Cisco AnyConnect Secure Mobility Client from starting up automatically

https://dannyda.com/2020/10/28/how-to-disable-cisco-anyconnect-secure-mobility-client-autostart-on-macos-stop-cisco-anyconnect-start-on-boot-on-macos/

I've tried all the solutions I've found online (including those in the above links), but nothing stops it. Only uninstalling AnyConnect works, but I need the Cisco VPN to work remotely with my organization.

Anyone worked this out (for real?)

t3s

What an awful, awful application. Thank you for posting this. — Nur L, Nov 25 '22 at 03:02

score 66 · Answer 1 · answered Sep 12 '21 at 21:02

66

I think I’ve found a fix.

Go into the Applications folder and open the Cisco folder.
Delete the Cisco Socket Filter application but NOT the Anyconnect client.

I’ve not had the issue since and the VPN is working fine.

answered Sep 12 '21 at 21:02

Cameron Guerrero

661

4

This solution worked for me. Thanks everyone! – type3secretion Sep 14 '21 at 07:44
4

Simple and effective – Christos Sotiriou Mar 20 '22 at 18:02
The only one that worked – Oleksii Chekulaiev Sep 02 '22 at 21:08
A huge god-damn thank you! It was annoying me for a year!!! – n1kk Nov 11 '22 at 13:39
2

This basically means uninstalling the Socket Filter app and its system extensions. What a magnificent job by Cisco people! /s – THN Mar 19 '23 at 14:19
1

Just confirmed this is working on Ventura 13.5.2. I understand that there are times when socket filtering is relevant for domain laptops. But for me as an external consultant using "my own" laptop to connect to customer servers it is completely unreasonable – Schaki Sep 15 '23 at 08:19

score 50 · Accepted Answer · answered May 19 '21 at 21:10

50

Press Don't allow When Cisco asks Cisco AnyConnect Socket Filter” Would Like to Filter Network Content.

If you do so it creates Network Settings that automatically launches this CPU-consuming com.cisco.anyconnect.macos.acsockext.

To revert it :

Go to System Preferences -> Network
Observe several instances starting with Cisco.. next to Wi-Fi
Delete all of them with - button beneath
Press Apply
If any Cisco instances appears again, delete it again; Press Apply
Check for com.cisco.anyconnect.macos.acsockext in Activity Monitor and kill it if needed
NEVER! Allow Cisco to Filter Network Content again (for some reason it lacks of Don't ask again checkbox)

answered May 19 '21 at 21:10

Nikita Balikhin

524

So far, this seems to have solved it. Thanks for this tip! – type3secretion Jun 30 '21 at 12:51
1

It works, but happens again when I restart my computer. Also, that message box appears often. :/ – Fatih Bulut Jul 09 '21 at 15:37
Same here. It came back for me. Cisco AnyConnect 4.9.5042 & macOS 11.4 (20F71). – Stefan Lasiewski Jul 09 '21 at 18:08
4

Can anyone talk to the impact of disabling? Without the filter and/or DNS proxy, am I getting the expected protections/routings? – Richard Sitze Aug 27 '21 at 17:48
1

if I click "Don't Allow", it keeps asking. – marathon Oct 06 '21 at 13:14
1

After I killed com.cisco.anyconnect.macos.acsockext and removed the Cisco... instances in the Network setting, I could not connect to the SVN anymore for which Cisco was configured. – jolvi Jul 06 '22 at 11:23
These options don't seem to be available in Ventura. – Lino Ferreira Mar 30 '23 at 14:46

score 15 · Answer 3 · edited Dec 07 '22 at 15:18

15

Personally, I had success from the following:

NOTE: You will need Administrator access on your Mac to accomplish these instructions

Open Activity Monitor
Kill the running process
Open Network Prefs
Remove all instances of it with the [-] button, and click apply
Open Terminal
Change permissions on the application Cisco AnyConnect Socket Filter.app

    cd /Applications/Cisco
    sudo chmod 0644 "./Cisco AnyConnect Socket Filter.app"
    sudo chown ${USER}:staff "./Cisco AnyConnect Socket Filter.app"
    exit

This will change ownership of the app to your personal account, and alter its permissions such that your account can read or write to it, but nobody, including you or the system groups, and execute it. It's a paperweight.

But since my company has a script that verifies its existence (even if it can't run it itself or it's not running at that moment) I don't care to delete it and have to explain myself.

It does not impact my AnyConnect/ability to access the corporate VPN whatsoever, doesn't trip any red flags with CorpSec (YMMV), and persists after reboot.

Hope that helps.

edited Dec 07 '22 at 15:18

jaume

15,010

answered Dec 25 '21 at 15:13

NerdyDeeds

366
2
8

@agarza ... thank you? I didn't even know that one COULD edit someone else's post! I assume you're a mod or admin, but after looking at the diff, I can see why you chose to clean it up. I'd been in a bit of dash out the door as I was trying to whip that out. Appreciate the polish (and your foregoing the well-deserved lambaste of my typographic and grammatical skills in the comments, lol). ❤️ – NerdyDeeds Dec 28 '21 at 23:47
After so much reputation, users will get different privileges. So really, the community as a whole tends to the upkeep of the individual Stacks. – agarza Dec 29 '21 at 00:50
I'm not sure this works on Ventura (13.0.1). There seems to be extra permissions required to make this modification. I'm seeing $ sudo chmod 0644 "./Cisco AnyConnect Socket Filter.app" chmod: Unable to change file mode on ./Cisco AnyConnect Socket Filter.app: Operation not permitted – hafichuk Dec 07 '22 at 15:10
1

NB - You need to ensure that Terminal.app (or equivalent terminal) has permissions to update or delete other applications. This is under System Settings > Privacy & Security > App Management – hafichuk Dec 07 '22 at 15:14
1

@hafichuk: hey man, thanks so much for spotting that issue, and even more for returning with the answer to it after you determined what it was. I've since changed contracts (this particular issue isn't one for me, at least for the moment), but I've run into it on umpteen other gigs; I'm sure it will be again. I didn't know Ventura reduced the execution perms, either, and your note here just solved a wholly-unrelated issue I WAS experiencing. Thanks, brother! Good looking out! – NerdyDeeds Dec 09 '22 at 05:21
1

This is genius! I tried and can verify this also works very well too! – Halil Kayer Jun 15 '23 at 08:56

qqqqf · Answer 4 · 2021-06-25T16:14:04.817

5

If you are using AnyConnect 4.10.x, I encountered the same problem and it was temporarily resolved by reverting back to version 4.9.06037

If your 4.9.x client automatically updates, you can set bypassDownloader to be true in /opt/cisco/anyconnect/AnyConnectLocalPolicy.xml to keep it at 4.9.x

edited Jun 25 '21 at 16:14

answered Jun 25 '21 at 16:07

qqqqf

51
3

Thank you so much. It solved my problem. In case anyone couldn't find old version, here is a link from TU Graz university – Fatih Bulut Jul 09 '21 at 16:33
Unfortunately, as of yesterday, it looks like the TU Graz FTP no longer has the 4.9.x client. – hangler Aug 25 '21 at 20:06

Patrick Brielmayer · Answer 5 · 2021-09-06T09:28:36.527

In addition to Nikitas answer, you should also remove the system extension:

Go to CMD
Execute
```
systemextensionsctl list
```
Look for TEAMID for BUNDLEID com.cisco.anyconnect.macos.acsockext

Execute

sudo systemextensionsctl uninstall TEAMID com.cisco.anyconnect.macos.acsockext

Note: As of September 1, 2020, running the systemextensionsctl uninstall command requires System Integrity Protection (SIP) to be disabled. This limitation is supposed to be removed by Apple at some point in the very near future.

eddyg · Answer 6 · 2023-03-30T17:15:04.233

1

FWIW, the Enterprise release notes for macOS Ventura 13.3 calls out a fix in macOS 13.3:

Resolves an issue where using Cisco AnyConnect could cause high CPU usage.

Figured it was worth mentioning.

edited Mar 30 '23 at 17:15

answered Mar 28 '23 at 01:16

eddyg

81

What’s the fix? Is an update necessary? If so, which version. It’s always best to include the relevant details rather than send folks off-site to get the answer. – Allan Mar 28 '23 at 01:58
High CPU usage by Cisco AnyConnect (now renamed to Cisco Secure Client) has been an issue under Ventura. I thought it was pretty clear that the fix I was referring to was upgrading to Ventura release 13.3, since in the particular instance I was referring to, it was an OS-related issue. – eddyg Mar 28 '23 at 11:57
The way it reads, especially with the word “Enterprise” don’t resonate with basic users unless they are in the IT space. I worked in large enterprise environments and I guarantee most users, wouldn’t have known what “enterprise” referred to – Allan Mar 28 '23 at 13:20
That's fair; but AnyConnect is definitely an "Enterprise" application, so that's where Apple chose to put the release note. – eddyg Mar 28 '23 at 18:48

score 1 · Answer 7 · answered Jun 15 '23 at 08:54

I found this gist on github and it worked me very well. https://gist.github.com/jasmas/22a4b1b12676c36074a4999c68e6a482

I copy paste the gist content here too:

#!/bin/sh
echo Disabling vpnagentd...
sudo launchctl disable system/com.cisco.anyconnect.vpnagentd
echo Tearing down vpnagentd...
sudo launchctl bootout system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
echo Deactivating Cisco AnyConnect Socket Filter Extension...
/Applications/Cisco/Cisco\ AnyConnect\ Socket\ Filter.app/Contents/MacOS/Cisco\ AnyConnect\ Socket\ Filter -deactivateExt

All credit belongs the jasmas(https://gist.github.com/jasmas)

score 0 · Answer 8 · edited Sep 04 '21 at 11:10

I'm using AnyConnect 4.10.x on Big Sur 11.5.1. What worked for me was simply to not allow Cisco AnyConnect Socket Filter from loading system software (there would be a prompt in System Preferences > Security and Privacy) when you install AnyConnect.

The VPN client still works without a problem, and it seems the Socket Filter thing isn't really necessary anyways, except for the Filter Network Content feature the comment above mentioned.

score 0 · Answer 9 · answered Dec 15 '21 at 03:07

0

In Finder, control click on the Cisco AnyConnect Socket Filter, and select Show Package Contents. Expand the MacOS folder and delete the Unix Executable File.
This worked for me running Big Sur 11.6.

answered Dec 15 '21 at 03:07

Aaron Hansen

1

The process com.cisco.anyconnect.macos.acsockext hogs Mac CPU but cannot be killed or stopped from launching

9 Answers9

Linked