Mac Network Extension Corrupt or Stuck? Here's How to Reset It

You uninstalled a VPN three months ago, but systemextensionsctl list still shows its network extension as “activated.” Removing it gives errors. Internet works most of the time, but every few days something flakes — Slack drops, AirPlay fails, DNS lookups stall. The leftover extension is intercepting traffic for an app that no longer exists.

Network extensions on modern macOS are the replacement for the old kernel extensions Apple deprecated. They’re sandboxed, signed, and live in user space, but they’re also notoriously hard to remove cleanly when something goes wrong.

Here’s how to diagnose, reset, and force-remove a stuck network extension on macOS Sonoma 14 and Sequoia 15.

What’s a network extension actually doing?

Network extensions intercept network traffic. They come in several flavors:

• VPN extensions: tunnel traffic to a remote server.
• Content filter extensions: block or modify URLs and DNS (Little Snitch, LuLu, AdGuard).
• DNS proxy extensions: replace the system resolver.
• Packet tunnel providers: low-level packet manipulation.

Apps install them with user approval, and once approved, they run continuously — even when the parent app is closed. That’s by design (a VPN should keep tunneling even if you quit its UI). The downside is that broken or orphaned extensions keep running, too.

Step 1: List what’s loaded

Open Terminal:

systemextensionsctl list

You’ll see something like:

1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
*    *      ABCD1234 com.example.vpn.extension (1.0.0/1) ExampleVPN [activated enabled]

Each entry includes:

• teamID: the developer’s team identifier.
• bundleID: the extension’s bundle.
• state: should be “activated enabled” or “terminated.”

If you see extensions whose parent app is gone, those are orphans.

Step 2: Check what’s currently filtering

sudo log show --predicate 'subsystem == "com.apple.networkextension"' --last 1h

This shows recent network extension activity. You’ll see which extensions are processing traffic, when they reload, and any errors.

If a specific extension shows constant “failed to start” or “lost connection” errors, that’s your stuck one.

Step 3: Check the running processes

ps aux | grep -i extension
ps aux | grep -i nesessionmanager

nesessionmanager is the macOS process that supervises network extensions. If it’s restarting in a loop (look for the same PID-time over and over), an extension is crashing.

Step 4: Try the official uninstall path

The cleanest way to remove a network extension is through the parent app’s uninstaller (if it has one) or by reinstalling the app and using its uninstall menu.

If the parent app is gone, try:

systemextensionsctl uninstall <teamID> <bundleID>

For example:

systemextensionsctl uninstall ABCD1234 com.example.vpn.extension

This requests removal. macOS may prompt for admin password.

If it succeeds, run systemextensionsctl list again to confirm the extension is gone.

Step 5: When uninstall fails

Common errors:

• “Service code 51”: extension is in use; can’t be removed while active.
• “Permission denied”: needs sudo, and even with sudo, requires SIP-aware approval.
• “Operation not permitted”: extension’s parent app must approve removal in some configurations.

If the extension can’t be removed because it’s “in use”:

1. Open System Settings → VPN → disconnect any VPN.
2. Open System Settings → Network → identify and remove configurations using this extension.
3. Try the uninstall command again.

Skip the manual huntSweep finds the cached configs, leftover daemons, and stale prefs across your Mac. Download Sweep free →

Step 6: Use systemextensionsctl reset (last resort)

If individual removal fails, you can nuke all third-party network extensions:

sudo systemextensionsctl reset

This removes every third-party system extension. You’ll need to re-approve each one when its parent app launches and re-requests installation.

This is heavy-handed but reliable. Use it when one stuck extension is breaking everything.

Step 7: Remove configuration profiles

Some VPNs install configuration profiles that hold on to extensions. System Settings → Privacy & Security → Profiles. Remove any profiles from VPNs you no longer use.

Configuration profiles can also be listed:

profiles list

And removed:

sudo profiles remove -identifier <profile-identifier>

Step 8: Remove network configurations

scutil --nc list

Lists VPN configurations. If you see ones for services that don’t exist anymore:

sudo scutil --nc destroy "VPN Service Name"

(With the exact name from the list output.)

System Settings → Network → click old VPN entries → minus button → remove.

Step 9: Clean up keychain entries

Network extensions often store credentials in Keychain. Stale entries can cause new VPN attempts to fail.

Open Keychain Access → search for the old VPN’s name → delete entries.

Step 10: Clean up launch agents and daemons

VPN apps install launch agents in:

• ~/Library/LaunchAgents/
• /Library/LaunchAgents/
• /Library/LaunchDaemons/

Look for plist files matching the old app’s name. Move them to the desktop, restart, see if anything broke. If nothing broke after a day, delete them.

This is exactly the kind of cleanup that’s easy to miss manually. Sweep’s app uninstaller targets all four locations as part of full app removal — that’s why VPN cleanup is one of its most-used features.

Reclaim what stale apps left behindOld VPN clients leave network extensions, helper tools, and configs behind. Sweep finds them all. Free for macOS →

Step 11: Reset the SystemConfiguration cache

If extensions wrote to the cached network configuration:

1. Wi-Fi off.
2. Finder → Go → /Library/Preferences/SystemConfiguration/.
3. Move to desktop:
   • preferences.plist
   • NetworkInterfaces.plist
   • com.apple.airport.preferences.plist
4. Restart.
5. Wi-Fi on, reconfigure.

Step 12: Reboot in Recovery and reset SIP (extreme)

System Integrity Protection (SIP) prevents tampering with system files, including some extension state. In rare cases, an extension is so corrupt that SIP-aware tools can’t remove it.

Disabling SIP is not recommended for normal users. Doing so:

1. Boot into Recovery (Apple Silicon: hold power until startup options. Intel: Cmd+R during boot).
2. Terminal from Utilities menu.
3. csrutil disable.
4. Restart, run uninstall commands, reboot to Recovery.
5. csrutil enable. Restart.

You almost never need this. The earlier steps fix 99% of cases.

Step 13: Boot in Safe Mode

Safe Mode loads only Apple’s signed extensions; third-party network extensions are skipped. Test:

• Internet works in Safe Mode? You’ve confirmed an extension is the problem.
• Extension still loaded after Safe Mode reboot? It hasn’t been uninstalled cleanly.

To remove via Safe Mode:

1. Boot into Safe Mode.
2. Run systemextensionsctl list (some extensions still show, but they’re not active).
3. Try uninstall commands again. Sometimes they succeed when they failed in normal mode.

Step 14: Check for kernel extensions (Intel only)

Intel Macs running older macOS may also have kernel extensions (KEXTs) installed by VPNs. These are deprecated but still present in some installs.

kextstat | grep -v com.apple

Lists non-Apple kernel extensions. Remove with:

sudo kextunload /Library/Extensions/<KEXT-name>.kext
sudo rm -rf /Library/Extensions/<KEXT-name>.kext

Reboot.

This doesn’t apply to Apple Silicon Macs — they run no third-party KEXTs by default.

Step 15: Reinstall macOS

Truly last resort. Recovery → Reinstall macOS without erasing data. Rebuilds system extension storage. Your user data stays.

After reinstall, third-party extensions need to be re-approved by their parent apps if you reinstall those.

Why network extensions get stuck

In my experience, the most common triggers:

• A VPN app is force-quit while a tunnel is active.
• The user drags the VPN app to Trash without using its uninstaller.
• A macOS update interrupts an extension’s lifecycle.
• The user’s account changes ownership or migrates from Time Machine, leaving extensions tagged with an old user.

The pattern is recognizable: networking is fine most of the time, but specific things — AirPlay discovery, AirDrop, IoT devices, Continuity — fail intermittently. The cause is a leftover network extension intercepting Bonjour multicast or DNS.

The most reliable fix sequence is Steps 4-6: try official uninstall, fall back to systemextensionsctl reset if needed. Combined with cleaning up the launch agents and keychain entries (Steps 9-10), you’ll have a fully cleaned slate.