When a 3rd party VPN client is connected on macOS device the following messages are visible on the WSS Agent UI:

WSS Agent Status

Connected to WSS for 00:01:07

Cloud Firewall Services: Enabled
Username: DOMAIN\username
Protocol: UDP
Datacenter: GFRVE
Error retrieving connection information (310)
Using connections from cache

On the WSS Agent support logs we have the following details: 

[13:40:02]: WSS Agent has closed the connection. A new connection attempt will be made.
[13:40:07]: CTC failed (ec: 310 - The operation couldn't be completed. (kCFErrorDomainCFNetwork error 310.))
[13:40:13]: CTC failed (ec: 310 - The operation couldn't be completed. (kCFErrorDomainCFNetwork error 310.))
[13:40:19]: CTC failed (ec: 310 - The operation couldn't be completed. (kCFErrorDomainCFNetwork error 310.))
[13:40:25]: CTC failed (ec: 310 - The operation couldn't be completed. (kCFErrorDomainCFNetwork error 310.))
[13:40:31]: CTC failed (ec: 310 - The operation couldn't be completed. (kCFErrorDomainCFNetwork error 310.))
[13:40:32]: Attempting direct CTC request after 5 failures
[13:40:37]: CTC failed (ec: -1001 - The request timed out.)
[13:40:43]: CTC failed (ec: 310 - The operation gouldn't be completed. (kCFErrorDomainCFNetwork error 310. ))
[13:40:43]: CTC: trying to use cached CL after 6 failures
[13:40:43]: CTC: using the connect list cached in memory

macOS devices (confirmed on Sonoma and later)

3rd party VPN client

WSS Agent 9.x

The 3rd party VPN client installs the following network extensions:

• com.apple.networkextension.filter-data
• com.apple.networkextension.app-proxy
• com.apple.networkextension.dns-proxy

Here are the standard cases with the agent on macOS and the addition of this 3rd party VPN client:

• When the wssa is installed on the device, the agent works with the macOS configuration to make the network connection.
  • when no proxy is configured the request goes direct to the Internet to retrieve information from CTC
  • when a proxy is configured on the system the agent uses the proxy to retrieve information from CTC
  • In both of those case the agent is using the standard macOS Swift API's to make the request, so the agent is not trying to lookup the proxy configuration and is not implementing the proxy request. This is handled at the macOS level by the API implementation
• When the Cisco VPN client is installed the wssa operates as needed without any problems. CTC requests are made to the Internet direct or via a configured proxy
• When the Cisco VPN client is connect the wssa operates in the same manner as the previous cases using the macOS API calls, however the macOS API provider returns an error
  • CTC failed (ec: 310 - The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 310.)
  • This error contains 2 key items
    • error code 310 from the OS points to the message "kCFErrorHTTPSProxyConnectionFailure"
    • kCFErrorDomainCFNetwork which is documented as the "Error domain that returns error codes specific to the CFNetwork stack."
• CFNetwork (Core Foundation) is the macOS API available in Swift to make http/https requests. It is used by the WSS Agent as it provided the abstraction from system configuration and ensures changes made to the system (for example proxy settings changes) are used witht he wwa not having to do anything (so the agent consumes the API requests)
• WSS Agent as a consumer of the CFNetwork API is no cognisant of any configuration change nor responsible for any configuration change. We make use of the API and the API ensures the system configuration is applied, and the agent as no decision on that process.

Broadcom engineering confirmed that the problem is related to a macOS configuration change that is outside of the WSS Agent control, and as we rely on the macOS Core Foundation API, we cannot work around the macOS configuration problem and it has to be fixed on the 3rd party client configuraiton / OS interactions.