1password / Cisco AnyConnect VPN / New 15" MBPr with TouchBar

digitalskies

AgileBits Update:
As Rudy mentions, there's a fix for this issue in the 4.4.2039 build of Cisco AnyConnect:

Just to give everyone an update. Cisco has a fix out for this issue in their build #: 4.4.2039

Cheers! :)

Hello,

Anybody have any problems with 1password / Cisco AnyConnect VPN / New 15" MBPr with TouchBar combination?

It stopped working for me as soon as I migrated to the new MBPr from the old one. I can't open main 1password application due to "1Password failed to connect to 1Password mini" error. It works fine as soon as I disconnect VPN and it works fine with established VPN connection on my old laptop (the same version of both AnyConnect VPN client and 1password). I even tried to do a clean install with just AnyConnect and 1password to exclude potential interferences from other applications with the same sad result.

My best guess for now if that something has been changed in the way how the new MBPr handles network interfaces but I'm struggling to find out what is different and why 1password fails to connect to its mini "daemon".

If I disconnect VPN, start 1password then connect VPN again, 1password (and its browser extension) seems to be working fine.

Any help would be really appreciated!

macOS 10.12.1, 1password 6.5 from Mac App Store, Safari Extension 4.6.2, Cisco AnyConnect Secure Mobility Client 3.1.07021

rudy

@digitalskies,

This issue doesn't appear to be directly related to 1Password, but rather how Apple chose to implement the communication between the OS and the TouchBar. The end result of that choice was that there is a network connection between the computer and the TouchBar that the Cisco AnyConnect VPN and software such as Cloak were interfering with. I would check with Cisco to see if they have an update available that doesn't interfere with the TouchBar communication.

Rudy

digitalskies

@rudy

I somehow doubt it since all other applications are doing just fine. Including 1Password as soon as I start it BEFORE establishing VPN connection.

Even if so, why failed connection to TouchBar should prevent 1Password to start successfully? "Touch ID to unlock 1Password" is disabled in my case.

rudy

@digitalskies,

The reason other applications don't have an issue, yet, is that many/all of them aren't making use of Touch ID ;)

It has to do less with the TouchBar than it does with TouchID. It fails to start due to an API call we're making in mini to establish whether or not we can access the TouchID interface. That call will take a really long time to respond if a software such as Cloak or the Cisco VPN client is interposing itself into the network stack. Cloak released an update that fixed their impact, I'm hoping Cisco is able to do the same. I would definitely let them know and feel free to mention to them that they can contact us if they need additional information in order for them to solve the problem.

Rudy

digitalskies

@rudy

Thanks for the detailed reply! :)

I have two questions:

1. Would it make sense for 1Password to fallback to its original behavior i.e. just assume that Touch ID is not supported on the system in case if there is no reply to such API call? I'm asking this because Cisco is a... well, very big company :) Sometimes they can be very slow in releasing updates to their software unless it's a critical case. Also, such fallback might save 1Password from a number of different issues when Touch ID API might not be accessible.

2. Am I right in the assumption that if I install one of the previous versions of 1Password without TouchID support then it should work perfectly fine for me?

Thanks again!

rudy

Hi @digitalskies,

You could certainly use 6.3.5 in the short term if you're using the AgileStore version of 1Password. While I wouldn't recommend it as a long term solution, it would at least allow you to access your passwords. There are a ton of important fixes in 6.5.1 that you'd be missing out on.

Another option is to look into the VPN configuration and have it not route all your locally destined traffic over the VPN. Ultimately the process for handling the TouchID/TouchBar is using a local TCP/IP connection to communicate so anything you can do to stop it from trying to reroute that traffic would certainly help.

Rudy

megamarsh

Just to throw in. I'm also having the same issue.

Drew_AG

Hi @megamarsh,

I'm sorry you're also having trouble! Just to be clear, do you mean you get an error that says "1Password failed to connect to 1Password mini" when you try to launch the main 1Password app? If so, there could be another reason why that's happening. To help us determine the best way to get this sorted out, can you please let us know some more details:

• What version of OS X / macOS are you running on your Mac?
• What exact version of the 1Password app is installed on your Mac?
• Are you using the AgileBits Store version or the Mac App Store version of 1Password?
• Are you using a new MacBook Pro with TouchBar?
• Are you using a VPN client on your Mac? If so, which one?
• Are you able to open the main 1Password app if you disconnect VPN?

Thanks!

megamarsh

Hi @Drew_AG,

Yes I get the "1Password failed to connect..." message.

• OS X 10.12.1
• 6.5.2
• Mac App Store
• MacBook Pro with TouchBar
• I have 2 different VPNs. VPN Unlimited & Cisco VPN. It only happens with the Cisco VPN connection.
• Yes. If I disconnect from the VPN 1Password opens.

AGAlumB

@megamarsh: Indeed, I use VPN Unlimited too and haven't run into issues like this with it. We've had other reports that Cisco is causing issues for 1Password users, though I don't have it myself to test. If they're forwarding local connections out over the internet (crazy, and unnecessary), that can cause issues for browser integration and now also the Touch Bar itself since that also utilizes local communications. While it may be something they can address more fully in an update, you may be able to at least set an exception for 1Password (though I wouldn't know where to start to do the same for the Touch Bar — you'd need to find out from Apple).

rneumann

Hi @Drew_AG and @rudy,

I too am having this issue with the new 2016 MacBook Pro 15" with TouchBar, Cisco AnyConnect VPN, and 1Password. My issue is exactly the same as @megamarsh.

When I have a VPN connection established (no split tunneling), I am unable to connect to the 1Password mini and I receive an error. When I disconnect the VPN, I am able to open up 1Password.

Here are the versions that I am using:

OSX 10.12.1 (16B2659)
1Password 6.5.2 (652002) - From App Store
AnyConnect VPN 4.3.04027

Please let me know if you need any logs or if I can test anything for you.

-Rob

AGAlumB

@rneumann: As Rudy mentioned above, the Touch Bar (iOS) is using a local connection to communicate with the computer (macOS). Have you tried setting an exception, or contacting Cisco? We'll see if there's something we can do, but unfortunately 1Password cannot prevent your VPN software from (insanely) interfering with your Mac's local network communications, which are necessary for the Touch Bar / Touch ID to function. Let me know what you find!

rneumann

Thanks @brenty. I'm not exactly sure what you mean by setting an exception. Can you explain to me the procedure?

I'll report a bug with AnyConnect on my side (Cisco) and see if I can contact anyone regarding this.

Thanks!

rneumann

FYI... Just upgraded to macOS 10.12.2 and the issue is still there.

ChrisJenkins

My company (who shall remain nameless) uses Cisco AnyConnect VPN and this highly problematic behaviour is well known to me; it has been like this for years and is immensely irritating as it affects many things (when VPN is active I cannot even establish an internal network connection to a VM running on the same Mac). Sadly, in the case of my company (and I suspect many others) this is a deliberate choice. My company locks down and disables the 'Local LAN Access' capability in Cisco AnyConnect for 'security reasons'. It is not possible to override this via local configuration as the setting is pushed to the client from the VPN gateway at connection time. So in my case there is no way this can be 'fixed' on the Cisco side of things and this is likely true of many other folk as well. So I would suggest that there are maybe 3 options:

1. Apple changes how macOS communicates with the Touch Bar to avoid this issue.

2. Agilebits figures out a way to avoid the issue.

3. We accept that 1Password is intrinsically incompatible with Cisco AnyConnect VPN.

To me (3) seems unacceptable and (1) seems highly unlikely so that just leaves (2)... Maybe there is another option but...

Chris

digitalskies

@ChrisJenkins My company (who shall remain nameless as well, he he) actually allows 'Local LAN access' but it still doesn't work for 1Password / Cisco AnyConnect combination.

One thing I figured out and posted in initial topic in this thread (sorry if it's not clear; ESL): 1Password works perfectly fine even with TouchID access to it as soon as I start 1Password before I establish Cisco AnyConnect connection (when I can minimize it, forget about it, but don't close it). As far as I can understand from @Rudy's comment, it fails to start because during the start-up process it checks if there is a compatible TouchID sensor on this particular laptop or not.

Of course, TouchID itself works fine with MacOS for a number of actions (unlock, authorize Settings app change, etc) even if Cisco AnyConnect connections is established.

digitalskies

And yes, I'm 100% positive in my previous comment. All non-intended for Cisco AnyConnect traffic (including 127/8, local network traffic, etc) goes through the normal route, i.e. my default gw configured at the moment.

ChrisJenkins

Well, my comment about Local LAN Access stands in as much as (a) it is common for (paranoid) companies to forcibly disable that and (b) if it is disabled then things such as 1Password communicating with the Touch Bar (which is a separate computer accessed via a network connection) just won't work and (c) I doubt that Apple or Cisco are interested in fixing this since it is 'by design'.

In your case I would suspect that there is an additional/different issue. But Cisco VPN is notorious for messing with the network stack in all sorts of nasty (and in the past sometimes buggy) ways. I guess AgileBits will have to work with Cisco and maybe Apple to diagnose the issue and figure out a fix.

AGAlumB

Thanks @brenty. I'm not exactly sure what you mean by setting an exception. Can you explain to me the procedure?

@rneumann: Unfortunately this is dependent entirely on their software, of which I am no expert. Many security/VPN/firewall/proxy suites are configurable, so that you can exclude specific apps/ports from being disturbed.

I'll report a bug with AnyConnect on my side (Cisco) and see if I can contact anyone regarding this. Thanks!

I think that would be best. I'd be surprised if they don't have some Touch Bars they want to use themselves over there. ;)

FYI... Just upgraded to macOS 10.12.2 and the issue is still there.

Definitely worth a try, but this isn't a bug with macOS; it's working as designed, and there really isn't anything Apple could do to stop 3rd party software from interfering — short of disabling it, and that would probably be a bit extreme.

AGAlumB

My company (who shall remain nameless) uses Cisco AnyConnect VPN and this highly problematic behaviour is well known to me; it has been like this for years and is immensely irritating as it affects many things (when VPN is active I cannot even establish an internal network connection to a VM running on the same Mac). Sadly, in the case of my company (and I suspect many others) this is a deliberate choice. My company locks down and disables the 'Local LAN Access' capability in Cisco AnyConnect for 'security reasons'. It is not possible to override this via local configuration as the setting is pushed to the client from the VPN gateway at connection time. So in my case there is no way this can be 'fixed' on the Cisco side of things and this is likely true of many other folk as well.

@ChrisJenkins: That's really interesting. Thanks for sharing this! You're right that if this is a corporate policy and not configurable that it leaves you with limited recourse. I hope that not everyone is in this same boat, or they'll find that even once other apps add support for the Touch Bar it cannot be used under those conditions.

So I would suggest that there are maybe 3 options:
1) Apple changes how macOS communicates with the Touch Bar to avoid this issue.
2) Agilebits figures out a way to avoid the issue.
3) We accept that 1Password is intrinsically incompatible with Cisco AnyConnect VPN.
To me (3) seems unacceptable and (1) seems highly unlikely so that just leaves (2)... Maybe there is another option but...

I think that's a fair assessment, except unfortunately this isn't something that AgileBits (or even Apple, to the extent that rearchitecting Touch Bar connectivity is almost certainly off the table) can "fix". The problem is that macOS, the Touch Bar, and 1Password are working as designed, and the VPN software, also working as designed, is interfering with your local traffic, which is never supposed to leave your computer, presumably to send it off to the server instead of its intended destination. :unamused:

However, there may be something we can do to disable the Touch Bar functionality somehow. I'm not sure if this means a quicker timeout, detection, or a way to disable it manually, but we'll continue to look into it. Thanks for providing this additional insight!

P.S: Have you tried launching 1Password prior to connecting to the VPN, as digitalskies mentioned? It sounds like that may be a useful workaround — and why it works in macOS even when connected: it initialized before the VPN.

AGAlumB

One thing I figured out and posted in initial topic in this thread (sorry if it's not clear; ESL): 1Password works perfectly fine even with TouchID access to it as soon as I start 1Password before I establish Cisco AnyConnect connection (when I can minimize it, forget about it, but don't close it). As far as I can understand from @Rudy's comment, it fails to start because during the start-up process it checks if there is a compatible TouchID sensor on this particular laptop or not.

Of course, TouchID itself works fine with MacOS for a number of actions (unlock, authorize Settings app change, etc) even if Cisco AnyConnect connections is established.

And yes, I'm 100% positive in my previous comment. All non-intended for Cisco AnyConnect traffic (including 127/8, local network traffic, etc) goes through the normal route, i.e. my default gw configured at the moment.

@digitalskies: Thanks! That's really good info. It sounds strange, but I think it makes sense. We're just using Apple's officially supported APIs here, but it may be that they revise them in the future. However, I suspect that Apple isn't doing anything magical to get the Touch Bar working themselves even with the VPN connected — apart from initializing the connection before the VPN, which it sounds like works for 1Password as well. That seems to be the key. We'll see if we can find a way for 1Password to at least fail more gracefully when something is interfering.

ref: OPM-4662

[Deleted User]

I recently got a MacBook Pro with Touch Bar (Sierra 10.12.3) and I'm also having issues when I'm connected to a VPN network using Cisco 3.1.05170 and I try to use 1Password version 6.6.2.

I found a workaround that works for me but it's pretty annoying. When I'm on VPN and I need 1Password to fill in a password in Safari:
1. Click the 1Password icon in Safari as I would normally.
2. Wait a really long time, like 1 minute.
3. Don't use the fingerprint authentication but "Enter Master Password"
4. Wait again until the window to enter your password comes up. Be patient.
5. Enter the password.

After this the 1Password Safari extension works as expected. It's just annoying that it is very slow and I hope Agilebits can fix it, I mean, it's kind of your job to make the app run smoothly for your customers right?

DanielP

Hi @petervangalen

Thank you for sharing this! Just for completeness, have you by chance tried the workaround mentioned above? Does it help with the performance issue? For your reference, this is the quoted passage from Brenty's post:

P.S: Have you tried launching 1Password prior to connecting to the VPN, as digitalskies mentioned? It sounds like that may be a useful workaround — and why it works in macOS even when connected: it initialized before the VPN.

Daniel

[Deleted User]

Hi @DanielP,
Thanks for the suggestion. If I open the 1Password app prior to connecting to VPN, it works fine. If I keep the app open and connect to VPN, it still works. So that's more convenient than the workaround I suggested last week.
Best,
Peter

Drew_AG

On behalf of Daniel, you're very welcome! I'm glad that helped. If you have more question or need anything else, please let us know! :)

digitalskies

@Drew_AG it's been 5 months this issue was reported. Are you going to do anything about it?

AGAlumB

@digitalskies: As mentioned previously, we can't fix this: 1Password for Mac can't stop 3rd party software from interfering with the Touch ID / Touch Bar connection. Have you tried opening 1Password first before connecting to the VPN? Others have reported that helps, and I don't expect that Apple is going to re-engineer this just because some software is sending your localhost connections out over the internet. :unamused:

digitalskies

@brenty of course I've tried to start it before connecting to VPN. Probably because I was the one who posted this workaround in his thread 5 months ago.

Can you guys invent a way to "fail more gracefully" as you mentioned in this thread months ago? Can you at least make it to fallback to password authentication if Touch ID doesn't work/available?

What you guys are going to tell to your customers if Touch ID module breaks/starts to behave in the same way as when VPN is up?

rcurran

Just chiming in, have had the issue for months. Opened multiple tickets, had to resort to twitter to get any communication from support. Going to have to pivot to another solution sadly but it's been a great 5ish year run. Is lastpass still the next best password manager?

digitalskies

Kind of my point as well. That can be a natural disaster for businesses who adopts 1password as a password manager and in the same time relies on Anyconnect VPN. More and more companies are starting to use latest MBPros with Touch ID as a corporate standard for laptops, so I don't see how this issue can be ignored now.

AGAlumB

@rcurran: While there isn't much we can do for you in this situation, I'm very sorry that you had so much trouble getting a response from us. I can't imagine why we didn't get back to you after months. We're generally much better than that. That simply isn't acceptable, and we'll keep working to improve in that area. I'm sorry to see you go, but certainly if you find that another tool better suits your needs in this regard that's only reasonable. :(