nesessionmanager “Resetting VPN On Demand” after sleep/wake

App & System Services Networking
Catonian OP
Created 3d
Replies 1
Boosts 0
Views 54
Participants 2

We’re developing an enterprise VPN client for macOS using NetworkExtension (PacketTunnelProvider) with Always-On / On-Demand VPN, deployed via MDM.

On macOS 14.x and 15.x we observe the following log message from nesessionmanager:

nesessionmanager: NESMVPNSession[...] Resetting VPN On Demand

This most commonly occurs after sleep → wake.

After this happens, the VPN no longer reconnects automatically, even though isOnDemandEnabled remains true and On-Demand rules are still present. Then a manual user action is required to reconnect.

Questions:

  1. Is the “Resetting VPN On Demand” log message expected during sleep/wake transitions?

  2. Under what conditions does macOS reset On-Demand VPN state?

  3. Is there a supported way to detect or recover from this state programmatically?

Any guidance on expected behavior or best practices would be appreciated.

Answered by DTS Engineer in 873728022
with Always-On / On-Demand VPN

To be clear, Always-on VPN is a very specific thing that’s not supported with third-party VPN products (r. 21363342) [1].

My experience, based on the number of problems I’ve seen here on the forums, is that folks who try to use VPN On Demand to simulate Always-on VPN are invariably disappointed )-:

Given that, I’m not sure how much I can help you here. My general advice:

  • If you would like to track the state of the above-mentioned enhancement request, file your own ER and ask that it be dup’d to problem 21363342.
  • If you’re able to reproduce the problem you’ve described on macOS 26, you should consider filing a bug about that.

And there’s nothing stopping you from doing both (-:

If you do file a bug for the problem you’re seeing:

  • Make sure you can reproduce it on macOS 26. You mentioned that you’re seeing this on macOS 14 and 15, and there’s probably not much point filing a bug against those systems.
  • Attach a sysdiagnose log taken shortly after seeing the problem. I realise that this is hard given that this is intermittent, but not having this log will make it hard for your bug to get traction. For more about sysdiagnose logs, see our Bug Reporting > Profiles and Logs page.
  • If possible, enable additional NE debugging per the VPN (Network Extension) instructions on the same page.
  • Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Historically I mentioned a different bug in this case (r. 33804980), but that bug has now be dup’d to the above-mentioned bug so it makes sense for me to use that instead.

Replies  1
Boosts  0
Views  54
Participants  2
DTS Engineer OP
Apple
2d
Recommended
with Always-On / On-Demand VPN

To be clear, Always-on VPN is a very specific thing that’s not supported with third-party VPN products (r. 21363342) [1].

My experience, based on the number of problems I’ve seen here on the forums, is that folks who try to use VPN On Demand to simulate Always-on VPN are invariably disappointed )-:

Given that, I’m not sure how much I can help you here. My general advice:

  • If you would like to track the state of the above-mentioned enhancement request, file your own ER and ask that it be dup’d to problem 21363342.
  • If you’re able to reproduce the problem you’ve described on macOS 26, you should consider filing a bug about that.

And there’s nothing stopping you from doing both (-:

If you do file a bug for the problem you’re seeing:

  • Make sure you can reproduce it on macOS 26. You mentioned that you’re seeing this on macOS 14 and 15, and there’s probably not much point filing a bug against those systems.
  • Attach a sysdiagnose log taken shortly after seeing the problem. I realise that this is hard given that this is intermittent, but not having this log will make it hard for your bug to get traction. For more about sysdiagnose logs, see our Bug Reporting > Profiles and Logs page.
  • If possible, enable additional NE debugging per the VPN (Network Extension) instructions on the same page.
  • Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Historically I mentioned a different bug in this case (r. 33804980), but that bug has now be dup’d to the above-mentioned bug so it makes sense for me to use that instead.

0
nesessionmanager “Resetting VPN On Demand” after sleep/wake
First post date Last post date
 
 
Q