Cisco Secure Client Connection Problems

Support Third-Party Software
1

I recently upgraded my system and was then not able to connect to my work VPN using the latest Cisco Secure Client (5.1.17.3394) with these two errors

image
image828×428 86.4 KB

With the help of LLM’s, I was eventually able to find a workaround. The details from AI are below - I do not know whether this is correct or now, but the solution did allow me to connect.

AI summary:

We need to block the vpnagent service from accessing the system D-Bus socket, as well as any fallback files and commands it might use to check your sessions (utmp, loginctl, etc.). By completely blinding the daemon, it will default to assuming you are a standard local user and allow the connection.

AI problem and solution details:

Problem: Cisco VPN rejected connections, falsely detecting your local Wayland/Sway session as “remote.”
Root Cause: A recent systemd update introduced a persistent background manager session. The Cisco daemon detected this extra session via D-Bus and triggered the server’s strict “Local Users Only” lockout.
Solution: Blinded the Cisco daemon to session data. Applied a systemd override (systemctl edit csc_vpnagent) using InaccessiblePaths to completely block the agent’s access to the system D-Bus socket, /run/systemd/sessions, and legacy utmp files.
Result: Unable to see the background session, the client defaulted to normal behavior and established the tunnel.

Allegedly Cisco Secure Client is determining that I am a remote user, not a local user, because it’s seeing more than one login session on the system (loginctl). An my work VPN blocks remote user connections.

The change I had to make was, to run sudo systemctl edit csc_vpnagent and add the following lines at the top,

[Service]
InaccessiblePaths=-/run/dbus/system_bus_socket
InaccessiblePaths=-/run/systemd/sessions
InaccessiblePaths=-/run/systemd/seats
InaccessiblePaths=-/run/utmp
InaccessiblePaths=-/var/run/utmp
InaccessiblePaths=-/usr/bin/loginctl
InaccessiblePaths=-/usr/bin/who
InaccessiblePaths=-/usr/bin/w

I believe that this blocks Cisco Secure Client from accessing D-Bus and thus prevents it from erroneously detecting a remote user.

Perhaps this will help someone, saving them from pulling some of their hair out.

1 Like