In most cases, Cisco AnyConnect and the Zscaler Client Connector (ZCC) can interoperate and co-exist on the same machine running MacOS. There are select situations where the presence of both services running may cause incompatibility issues. One such situation exists when AnyConnect is set to full-tunnel, exclude mode and Zscaler Client Connector is utilized for Zscaler Private Access.
This limitation does not exist for ZCC for Windows when the packet filter driver is used in the forwarding profile.
Each solution will operate properly by itself. When AnyConnect is connected, ZPA can be set to disable. When AnyConnect is disconnected, ZPA can be set to enable. However, this may not be desirable to customers as it requires manual user intervention to ensure only one solution is active and the correct solution is enabled. For example, users will have to remember that AnyConnect is for corporate applications and ZPA is for M&A applications.
When AnyConnect is in a “Connected” state in a full-tunnel, exclude mode, the Zscaler Client Connector for ZPA may display a “FW/AV Error.” and the two solutions may not co-exist.
ZCC will display the “FW/AV Error” when ZCC is unable to communicate with an IP address in the 100.64.0.0/16 on the local device. ZCC will inject a route into the route table to send all traffic destined for 100.64.0.0/16 to the ZCC tunnel adapter
When operating in full-tunnel, exclude mode, Cisco AnyConnect’s default configuration contains a configuration “anyconnect routing-filtering-ignore disable”
The command “anyconnect routing-filtering-ignore” is under-documented, but its role is to remove any routes in the routing table which were not explicitly created by AnyConnect. This feature is intended to maintain the integrity of the routing table and minimize any incompatibilities with the AnyConnect client.
Since ZCC injects the route 100.64.0.0/16 into the routing table, AnyConnect continually removes this route, in its default configuration. Even if the route is added after AnyConnect is connected, it will be removed. As a result, ZCC is unable to communicate with 100.64.0.0/16 and ZCC will display a “FW/AV error” message.
Disable route monitoring
The configuration “anyconnect routing-filtering-ignore disable” can be set to “anyconnect routing-filtering-ignore enable” and that will cause AnyConnect to ignore any changes made to the routing table.
There are implications to change this configuration from disable to enable. If the organization was relying on this configuration to protect the route table, there is no method to restrict route table changes to just ZCC or the routes ZCC requires for ZPA to operate. The setting is global and will allow any application to modify the routing table.
It is up to the individual organization to weigh the risks of disabling this functionality and the benefits of allowing AnyConnect and ZPA to run simultaneously on MacOS.