Network Connect Hangs on “Establishing secure connection…”

Being a work from home / travel employee means that VPN access is critical for me. From time to time I run into issues with my VPN that consume time and impact productivity. When I run across such issues I like to blog about them to hopefully solve the problem for someone else. In this post, I would like to discuss when Network Connect hangs with “Establishing secure connection…”

VPN issues can be caused by a variety of things, but in the case of Network Connect I find Java to be the underlying issue the majority of the time. My typical troubleshooting steps look something like the following:

  • Did I recently upgrade Java? Yup, moved to Java 8 Update 60 (60… really?!)
  • Clear temporary Java files and retry — fail
  • Remove Java applications and retry — fail
  • Clear browser cache and retry — fail
  • Reinstall Network Connect — fail
  • Restart the computer — fail
  • Check the logs — note this should be the first step

In the logs I found an interesting message:

10/8/15 1:39:07.418 PM com.apple.kextd[45]: ERROR: invalid signature for net.juniper.nke.nctun_tiger, will not load

Bingo, the signature is not being accepted likely due to the Java update — which means an update to Network Connect is needed. So the options are either revert to a previous version of Java (not going to happen) or ignore the signature error. To disable the signature error on mac run:

sudo nvram boot-args="kext-dev-mode=1"

The above command disables signature validation for ALL applications and packages — technically this is a security risk, but if you know and trust what you are installing it is not an issue. After running the above command you need to restart your mac. Now Network Connect will work properly. In a few weeks I will try to turn signature checking back on and see if the issue is resolved.

© 2015 – 2021, Steve Flanders. All rights reserved.

8 comments on “Network Connect Hangs on “Establishing secure connection…”

Martin says:

Steve,
What version of OS X are/were you running when you re-enabled kernel extensions? I ask because I see this issue using Juniper Network Connect from OS X 10.11 and re-enabling the kernel extensions along with a reboot has not resolved the issue.
Oct 13 10:55:29 crm06032 com.apple.kextd[46]: ERROR: invalid signature for net.juniper.nke.nctun_tiger, will not load
Oct 13 10:55:29 crm06032 kernel[0]: Kext net.juniper.nke.nctun_tiger not found for unload request.

Hey Martin — Thanks for the comment! I have not enable the kernel extensions yet 🙂

Fadi says:

Martin and Steve,
I’m not seeing the first error (invalid signature), only the second (Kext net.juniper.nke.nctun_tiger not found for unload request.). Any idea what that means?
Martin, did you ever get yours to work?
Thanks Steve for putting this together.
Fadi

Hey Fadi — Thanks for the comment! I would guess it is the same issue — have you tried to proposed workaround (you could always revert back if it does not work)?

David K says:

It has not worked for me either and I am also on OS X 10.11.

Hey David — Thanks for the comment! Yes, my testing was done on Yosemite, but I can confirm on upgrade to El Capitan the mentioned workaround does not help. To resolve the issue, I downloaded the latest Pulse Secure client. You can find the details here: https://sflanders.net/2015/10/10/how-to-download-network-connect/.

alton yu says:

Even with Pulse, my version doesn’t work with El Capitan. I had to run csrutil in the recovery partition in order to get it to work. After doing that, I was able to connect with either, nc or pulse.

Hey Alton — Thanks for the comment! Interesting that you had to go to those lengths, but glad you found a workaround — thanks for sharing!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top