Skip to content

Instantly share code, notes, and snippets.

@roop

roop/managed_device_athome_recovers.md

Last active April 28, 2025 11:08
Show Gist options
  • Save roop/c5e5bba5b821e473b80bf5ccf6bd08cd to your computer and use it in GitHub Desktop.
Save roop/c5e5bba5b821e473b80bf5ccf6bd08cd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
managed_device_athome_recovers.md

I was looking at the console log (console_log_ISSUE-START_2025-04-14_14-04-45.txt), looking for causes why the data packet failed to send.

  • 14:01:19.390800 Laptop wakes up

    2025-04-14 14:01:19.390800+0200  localhost nesessionmanager[138]: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:eduVPN:9F329B94-B308-47A1-9446-E4E2E3B3E53E:(null)] in state NESMVPNSessionStateRunning: received wake event

  • 14:01:19.390927 Tunnel extension gets wake 'signal'

    2025-04-14 14:01:19.390927+0200  localhost TunnelExtension-macOS[4352]: (NetworkExtension) [com.apple.networkextension:] [Extension org.eduvpn.app.TunnelExtension]: Calling wake
2025-04-14 14:01:19.841134+0200  localhost TunnelExtension-macOS[4352]: [org.eduvpn.app.TunnelExtension:TUN] Network change detected with satisfied route and interface order [en0, utun4]
2025-04-14 14:01:19.961155+0200  localhost TunnelExtension-macOS[4352]: [org.eduvpn.app.TunnelExtension:TUN] Network change detected with satisfied route and interface order [en0, utun4]

  • 14:04:22.456434 A content filter kills the tunnel extension's socket

    2025-04-14 14:04:22.456434+0200  localhost kernel[0]: cfil_hash_entry_log:6088 <CFIL: RECEIVED CFM_OP_DROP>: [4352 TunnelExtension-macOS] <UDP(17) in so 9daf39117ab06561 14385787029399887 14385787029399887 age 0> lport 57206 fport 443 laddr 192.168.0.103 faddr 145.100.179.13 hash DB3A94F
2025-04-14 14:04:22.456453+0200  localhost kernel[0]: cfil_ctl_send:2122 CFIL: VERDICT DROP RECEIVED: <so 9daf39117ab06561 sockID 14385787029399887 <331bcc0db3a94f>> <IN peek:0 pass:0, OUT peek:0 pass:0>
2025-04-14 14:04:22.456458+0200  localhost kernel[0]: cfil_acquire_sockbuf:1596 so 9daf39117ab06561 drop set
2025-04-14 14:04:22.456465+0200  localhost kernel[0]: cfil_acquire_sockbuf:1596 so 9daf39117ab06561 drop set

    According to https://github.com/apple/darwin-xnu/blob/main/bsd/net/content_filter.h CFM_OP_DROP means "shutdown socket, no more data"

  • 14:04:22.473 Failed to send data packet

    2025-04-14 14:04:22.473241+0200  localhost TunnelExtension-macOS[4352]: [org.eduvpn.app.TunnelExtension:TUN] peer(ynBK…kfzo) - Failed to send data packet: write udp4 0.0.0.0:57206->145.100.179.13:443: sendto: broken pipe

    The packets fail to send because a content filter blocked it. The addresses and ports in this error match with the content filter messages that came before.

  • Not sure if these Application Firewall messages are relevant

    2025-04-14 14:04:22.454866+0200  localhost socketfilterfw[216]: [com.apple.ALF.ApplicationFirewall:fw] Handle flow with processPID: 4352 and bundleid: <private>

    2025-04-14 14:04:22.456402+0200  localhost socketfilterfw[216]: [com.apple.ALF.ApplicationFirewall:fw] Found matching app, but no need to update the effective policy
2025-04-14 14:04:22.456406+0200  localhost socketfilterfw[216]: [com.apple.ALF.ApplicationFirewall:fw] KNOWN APP FLOW: <private>, return known verdict: 1 (BlockAll set: 1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment