Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ASA , vpn concentrator 3000, IOS with SSLVPN client (SVC) stops working after MS security update

With the SSL inline renegotiation vulnerability, MS has published two security updates. - This is installed automatically with windows update.

This is explained in more detail in following security bulletin from Microsoft:

This will disable ssl re-negotiations and also add a  TLS Renego extension in the client hello, which SSL servers like VPN 3000 concentrator will fail SSL handshake.


1) The SSLVPN client (not anyconnect client) will fail to connect after Security update.

    It affects both connection to the ASA , the Cisco VPN 3000 concentrator, AND IOS routers.

    ASA users can upgrade from SSL vpn client to Anyconnect and that should resolve this issue.

2) Webvpn clientless session from a browser will fail to a ASA  headend running 8.2.1 to and client certificate authenticate is  enabled, with above security updates  installed

3) Anyconnect weblaunch will also fail due clientless webvpn failing.


1) Upgrade client to Anyconnect client if using a ASA as the headend device. VPN 3000 concentrator does not support Anyconnect. IOS headend can be upgraded to 12.4(15)T or later which supports Anyconnect.

2)  Per, you can change add this DWORD value to the windows registry and change it to a non-zero value to enable the the SSLVPN client (SVC 1.x) functionality:


DWORD: UseScsvForTls  Value:  non-zero (I used 1)  Effect:  Client sends SCSV for TLS protocol

This just disables using the TLS Renego extension in the SSL hello, and this is a workaround for the 3000 concentrator as it does not support the anyconnect product.

3) For the  Cisco sslvpn client, remove the MS security update above. This should be done at your own risk and machine will be vulnerable as

per security bulletin.


1) For clientless and weblaunch of anyconnect not working when  using client side certificates in 8.2.x versions, upgrade to latest  8.2.x version.  The version should be or later, such as 8.2.2 or 8.2.3. This  has the fix for bug CSCtd00697

2) For VPN 3000 concentrator and ssl vpn client, as the product is end of software maintenance, the only option is to upgrade to a headend that supports anyconnect like ASA or IOS router.

New Member

Would this also affect VPN 3000 Series WebVPN client? We are having several users now reporting issues with their SSL VPN since the last MS Update on Tuesday.

New Member

I have confirmed this does also affect the WebVPN SSL Client in the Cisco 3000 Series VPN concentrator.

Cisco Employee

Yes, It will also affect the 3000 concentrator with Cisco SSL VPN Client.

Unfortunately, at this time as the 3000 concentrator is already reached end of software maintenance, so no new fixes will be available.

The only current option is to remove the security update from MS.

Cisco Employee

Please check the new workaround with registry settings - this should be fair compromise without being vulnerable.

New Member

Ok.I'm testing the new work-around now. Thanks for the update.