Skip to main content
Ben Nadel at CFCamp 2023 (Freising, Germany) with: David Sedeño Fernández
Ben Nadel at CFCamp 2023 (Freising, Germany) with: David Sedeño Fernández

Cisco AnyConnect VPN Client May Block CORS AJAX OPTIONS Requests

By
Published in Comments (19)

For the last few months, I've needed to connect to a remote desktop session using a VPN (Virtual Private Network) client. The one that I was told to use was Cisco's AnyConnect VPN. This works well; but, a few weeks ago, I noticed that all of my CORS (Cross-Origin Resource Sharing) preflight "OPTIONS" requests were failing. Both Firefox and Chrome simply stated that the request was "Aborted"; cURL (curl) reported that the server returned an empty response. After much digging, I discovered that the cause of this CORS failure was the Cisco AnyConnect VPN.

Whenever I made my CORS preflight OPTIONS request, I noticed a number of items showing up in my iMac's console (console.app). All of the items were associated with the process, "acwebsecagent". After much Twitter venting, and some Googling, I came across this Apple Support forum thread, which indicated that the "acwebsecagent" process may be associated with the Cisco AnyConnect VPN.

So, this morning, I uninstalled the Cisco AnyConnect VPN and tried my CORS preflight OPTIONS requests. And, lo and behold, it worked! It was the VPN that was blocking and aborting the CORS AJAX requests.

Once I had narrowed down the culprit, I then reinstalled the Cisco AnyConnect VPN client; but, this time, I made sure not to install the "Web Security" module:


 
 
 

 
Cisco AnyConnect VPN will block CORS preflight OPTIONS requests if the Web Security module is installed.  
 
 
 

Now, I have the Cisco AnyConnect VPN installed and my CORS preflight OPTIONS requests are still working. Frustrating, but glad to have it solved!

Reader Comments

2 Comments

Thank you so much! This was affecting me for a couple of days now. I had to work my way down the google search results until I finally got to this link. You're a life saver.

Great blog BTW. I too develop SPA apps and have been on AngularJS for about a year. Your posts have helped me out from time to time in the past. Keep up the good work!

15,848 Comments

@Omar,

Glad I could help! This was driving me nuts! Hopefully I'll get some more AngularJS posts outer there. Been slow (too much work) lately.

15,848 Comments

@Jazmine,

I am not sure I understand what you're talking about with BitCoin. Do people have to pay for VPN? That seems odd.

1 Comments

Your process is quite helpful and these ideas are great when it works for you. My VPN is good enough and providing the best results without interrupting the AJAX or JavaScript. You can also try this if you still want to try some new VPN that really words for you.

1 Comments

Ben, I spent 2.5 days trying to figure this out. At one point I hit the end of the internet and had to turn around and go back. Stumbled upon this post.
This solved my problem!!! Thank you very much for this post!!!

1 Comments

Worked for me as well, though you might want to add that it 'only' blocks OPTIONS requests over ports 80 and 8080. To be sure, secure requests were fine.

1 Comments

I just wasted many hours of my time trying to figure out why in the world I couldn't get any OPTIONS requests to the api I'm working on to work....

This solved my problem.

Serenity now!

1 Comments

OMG. I wish I found your article a year ago. Today, I tried to get to the bottom of it and found your post. I was on the verge of reinstalling my Mac. Thanks Ben! I'd like to buy you a beer or ten.

1 Comments

Clients aside, for those unfamiliar, running your own server using OpenVPN and a cheap fast cloud/vps host like vultr, digitalocean.com, etc. is fairly straighforward in setup to build from scratch or Linux packages managers. And a good excuse to polish your secure networking knowledge, things are changing fast.

I did as a learning experiment 2 years ago, and I still the same instance today. Back then most OS's claimed no support, despite that installed clients on chromeos, rooted android 2.3 LGPrime, ipod/ios, windows vista, ubuntu 12+. It can only be a cinch now.

Travelling abroad? saved my friggin life, and had my back on a Stones presale I would've lost.

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel