Network connections fail after installing Endpoint Protection on Mac
search cancel

Network connections fail after installing Endpoint Protection on Mac

book

Article ID: 240416

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Security Complete

Issue/Introduction

After installing Endpoint Protection (SEP) or Endpoint Security, Mac systems lose network connectivity once the Symantec Network Security filter is enabled.  Withdrawing the firewall and IPS policies does not resolve the issue.  Only disabling the SEP Network Filter restores network connectivity. 

Cause

The issue is caused by a hidden limitation in macOS’s Network Extension Packet Filter API, which is used behind Endpoint Protection's firewall. When there are more than a certain number of network interfaces (both physical, for example an Ethernet adapter, or virtual, for example a VPN adapter), it may result in the device network being blocked when the Packet Filter is enabled.

The issue is pre-existing on older Mac hardware models (for example the models with an Intel CPU) as well. However, because they have fewer built-in network interfaces, it is uncommon for these systems to run into this issue unless additional hardware or virtual network interfaces are installed. 

Resolution

This is currently a limitation within MacOS.

Apple increased the network interface limit from 12 to 16 with the release of MacOS 12.4. This resolves the issue for most Mac models. This can still be an issue with a few newer Mac models.
Apple increased the network interface limit to 32 in macOS 13.

Customers should upgrade to macOS 13 to take advantage of Apple's improvement. If there is still an issue, then open a case with Apple for further investigation.


As a workaround, you can set any unused network interface (Wifi, USB, Thunderbolt, etc) to a down state using ifconfig.  However, note that doing this is not a permanent solution as this change will not persist through a reboot.  Also note that you may need to disable multiple unused interfaces before network connectivity is restored. 

On Mac M1 hardware, there are often multiple thunderbolt connections which are enabled as network interfaces by default.  To see a list of hardware interfaces, you can run the following command:

networksetup -listallhardwareports

Hardware Port: Ethernet
Device: en0
Ethernet Address: <MAC Address>

Hardware Port: Ethernet Adapter (en6)
Device: en6
Ethernet Address: <MAC Address>

Hardware Port: Ethernet Adapter (en7)
Device: en7
Ethernet Address: <MAC Address>

Hardware Port: Ethernet Adapter (en8)
Device: en8
Ethernet Address: <MAC Address>

Hardware Port: Ethernet Adapter (en9)
Device: en9
Ethernet Address: <MAC Address>

Hardware Port: Wi-Fi
Device: en1
Ethernet Address: <MAC Address>

Hardware Port: Thunderbolt 1
Device: en2
Ethernet Address: <MAC Address>

Hardware Port: Thunderbolt 2
Device: en3
Ethernet Address: <MAC Address>

Hardware Port: Thunderbolt 3
Device: en4
Ethernet Address: <MAC Address>

Hardware Port: Thunderbolt 4
Device: en5
Ethernet Address: <MAC Address>

Hardware Port: Thunderbolt Bridge
Device: bridge0
Ethernet Address: <MAC Address>

In the above example, you can use the following commands to disable the thunderbolt interfaces. 

ifconfig en2 down
ifconfig en3 down
ifconfig en4 down
ifconfig en5 down

For a full list of both virtual and physical interfaces, you can run ifconfig:

apl1105:~ root# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
 inet 127.0.0.1 netmask 0xff000000 
 inet6 <IPv6 Address> prefixlen 128 
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x1 
 nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
anpi1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x4 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
anpi2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x5 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
anpi3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x6 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
anpi0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x7 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
en7: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
en8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
en9: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 nd6 options=201<PERFORMNUD,DAD>
 media: none
 status: inactive
en2: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
 options=460<TSO4,TSO6,CHANNEL_IO>
 ether <MAC Address>
 media: autoselect <full-duplex>
 status: inactive
en3: flags=8922<BROADCAST,SMART,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 options=460<TSO4,TSO6,CHANNEL_IO>
 ether <MAC Address> 
 media: autoselect <full-duplex>
 status: inactive
en4: flags=8922<BROADCAST,SMART,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 options=460<TSO4,TSO6,CHANNEL_IO>
 ether <MAC Address> 
 media: autoselect <full-duplex>
 status: inactive
en5: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 options=460<TSO4,TSO6,CHANNEL_IO>
 ether <MAC Address> 
 media: autoselect <full-duplex>
 status: inactive
ap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether be:<MAC Address>
 nd6 options=201<PERFORMNUD,DAD>
 media: autoselect
 status: inactive
en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 media: autoselect
 status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 options=400<CHANNEL_IO>
 ether <MAC Address> 
 nd6 options=201<PERFORMNUD,DAD>
 media: autoselect
 status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 9000
 options=467<RXCSUM,TXCSUM,VLAN_MTU,TSO4,TSO6,CHANNEL_IO>
 ether <MAC Address>
 inet6 <IPv6 Address> prefixlen 64 secured scopeid 0x13 
 inet <IP Address> netmask 0xffffffc0 broadcast <IP Address>
 nd6 options=201<PERFORMNUD,DAD>
 media: 10Gbase-T <full-duplex>
 status: active
bridge0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
 options=63<RXCSUM,TXCSUM,TSO4,TSO6>
 ether <MAC Address> 
 Configuration:
  id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
  maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
  root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
  ipfilter disabled flags 0x0
 member: en3 flags=3<LEARNING,DISCOVER>
         ifmaxaddr 0 port 13 priority 0 path cost 0
 member: en4 flags=3<LEARNING,DISCOVER>
         ifmaxaddr 0 port 14 priority 0 path cost 0
 member: en5 flags=3<LEARNING,DISCOVER>
         ifmaxaddr 0 port 15 priority 0 path cost 0
 media: <unknown type>
 status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x15 
 nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x16 
 nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000
 inet6 <IPv6 Address> prefixlen 64 scopeid 0x17 
 nd6 options=201<PERFORMNUD,DAD>

Additional Information

FB9973238
CRE-9281
CRE-9947

Powered by Wolken Software