I just wanted to give the community a heads up in regards to the latest February 2015 Microsoft patches.KB3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error. You can fix this here:
Also updated in the article:
This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)
Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)
This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.”
FYI: on my Windows 8.1 system the christierney.com procedure was not sufficient to workaround the problem. I had to repeat the compatibility troubleshooter against "vpnagent.exe" before I could get VPN connections via my AnyConnect client.
("vpnagent.exe" is the local service that supports the client user interface.)
So, is there any info on which AnyConnect clients can work with KB3023607?
And if this is a bigger issue, does anyone know if Microsoft are working on a fix?
Thanks. Just wondering what to do about all my staff on Windows 8.1 who use AnyConnect.
Cisco Tracking ID: CSCus89729
Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.
There are two potential workarounds until Microsoft provides a fix
1. Windows 8 compatibility mode for the app
2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:
Control Panel / Programs / Programs and Features, click "View installed updates” on the left and locate and uninstall the update labeled with KB3023607. This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.
This is a defect in the Microsoft 02/10/15 patch and not a bug in the AnyConnect software. Microsoft is aware of this and is working on a fix. There are two possible workarounds until a fix is available, the first is to use Windows 8 compatibility mode for the app, the other is to uninstall this specific KB article (you would also lose other security fixes associated with it, so proceed with caution on this option).
Does Cisco have official response on this issue yet? Also, it would be great to know which version of ASA OS affected users are running (not all versions and interim releases have all necessary SSL security fixes). Also, not every sub release of AnyConnect client is the same. We are not experiencing any issues with AnyConnect 4.0.00051and AnyConnect 3.1.05060 currently installed in environment with this patch installed. All the PCs are mix of Windows 8.1 Pro and/or Windows 7 with IE11 (of course). Our OS is 188.8.131.52, latest Interim release, and we have everything except TLSv1.0 disabled (no SSLv3.0 allowed). Configuration of AnyConnect policies can also play a role here (SSL vs DTLS vs IKEv2). This issue is making the rounds over the Internet as a significant problem and is being brought up by my management - basically creating somewhat a concern. Clarification is necessary.
The issue is not the ASA or AnyConnect, it is a defect in Microsoft's February 2015 (02/10/15) security patch which affects all AnyConnect users on Windows 8.1 and a subset (unclear what subset yet) of users on Windows 7 with IE11. This has nothing to do with TLS versions which are enabled or disabled. Microsoft is aware of the defect that they introduced and are actively working on a fix.
Our public statement on the topic and a couple of workarounds can be found in the Cisco bug search tool (link below) for authorized Cisco.com users or you can view an abbreviated statement on our social media Facebook page at www.facebook.com/anyconnect
This article clearly only applies to Windows 8.1. On Windows 7 update 3023607 gets installed with update 3021952, and not with 3034682 (as referenced in the article). Also on my Windows 8.1 PCs KB3203607 shows as a separate updated, and not part of anything. The more I look at it, the more it looks like a corrupt update install behavior and not really a problem with update. All my updates, be that Windows 7 or Windows 8.1 are listed installed exactly in a manner described in MS article for MS15-009. Perhaps users affected got early versions of MS15-009 updates, while the rest of us got normal versions on 02/11. Cisco really needs to do better job on troubleshooting and documenting the issues.
We are very sorry you are not pleased with our analysis. We worked very hard to be responsive to customers in evaluating and reporting on the situation as soon as we learned about it.
We can confirm (since we are working directly with Microsoft on this issue) that it is due to a bug in the Windows 8.1 patch KB3012982 (which gets wrapped under KB3203607) and not a corrupt update install. This patch was wrapped in with the MS15-009 update for Windows 8.1 users.
As far as the few reports we have had with issues on Windows 7 w/ IE11, we have removed any reference to this pending further investigation since Microsoft does not believe that their update should affect W7 users.
Peter, It's been three days now since we had an update. Is there any update on this? With the bad weather the East Coast USA is experiencing, I have a heap of my remote staff now not able to remotely connect to work from home, and it's causing headaches.
There's some reports that 4.x verisons of AnyConnect Mobility may not be affected, but I can't roll that out on a whim.
MS is still working on putting out a patch but they have not given us any timeframe as to when this will go out. Since the fix will need to be released by Microsoft, my recommendation is to open up a direct case with them on this issue. While not perfect, we did publish a couple of workarounds for this topic.
We have an active case open with Microsoft and they have stated they intend to resolve this issue in the March security updates.
In the meantime, they have released a 'FixIt' which is available at https://support2.microsoft.com/kb/3023607.
Windows 8 computers unable to connect after KB3023607 installed. I tried Microsoft's Fix It 51033 however that does not resolve the issue. VPN Client says "Lost connection to VPN service. Reattaching...." We authenticate using AD + certificate, could the certificate be causing an issue as well? If I uninstall KB3023607 I am able to connect.
You did reboot after the installation? That is stated on the download page (at least a logout/login).
Here it works fine with the Fixit, but we use username/password without certificate.
Tried rebooting and two different computers, did not work with Fix It. Tested with AnyConnect version 3.1.05187 and also tried upgrading 3.1.06079.
This is the first report we have had that Microsoft's fixit did not work for someone as a workaround. Please try to re-install KB3023607 and the fixit, restart your machine and if it does not work, please send us a Diagnostics Report (DART) from AnyConnect to email@example.com. What version of AnyConnect are you using? Perhaps it is an old version and you should be updating.
We are having the exact same issue. Hundreds of our customers are down. Tried the Microsoft Fix-It, terrible results. We have only had 3 successes with that. We are still uninstalling and hiding the update. Working our way through them but this is ridiculous.
I have a clean 8.1 vm and can re-create the Fix-It not working. Also have 8.1 on my home computer and can re-create it there too. I would LOVE to help if we can get something for our customers.
Sorry to hear that. Please make sure you are using current AnyConnect releases of 3.1.x or 4.0.x to make sure you are not hitting an old bug. Once doing that, if you are still hitting failures, please open a case with Microsoft for further troubleshooting.
Please send us a DART (Diagnostics report). You can reach us at firstname.lastname@example.org. In parallel, please open up a case with Microsoft if the fixit is not working for you. Microsoft has told us that the fixit is a workaround, it is not a fix for the OS regression, which are they planning to fix in their March Update (subject to change).
I just sent you a Dart bundle. Had some of my guys test the newest AC and the Newest fix on a couple of our end-users also. Just to make sure. That's why it took me so long to respond. No luck.
No problem. Please confirm you see Microsoft's "fixit" installed under Control Panel and that you have logged out/in or rebooted after installing it. We are examining your logs now.
In Dan's case, the Microsoft "fixit" does not cover the API usage, only the normal User Interface for AnyConnect. We have escalated this issue back to Microsoft to inform them of this gap. Unfortunately the "fixit" is a workaround a not a full fix for the OS regression, which Microsoft is planning for their March patch cycle (Microsoft's dates are subject to change).
We will also document this limitation with their fixit in our release notes.
Microsoft has informed us that they will not be pushing out an updated fixit for customers leveraging the API. They recommend compatibility mode for both vpnagent.exe and vpnui.exe as a temporary workaround for these customers.
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe <--- also do the same for vpnagent.exe
Valuedata : ~ WIN7RTM
We were able to solve the issue (thus far) using the Microsoft FixIt and by adding the following registry entries: Neither the FixIt nor the registry entries alone solved the issue. These entries set the two programs to Windows 7 compatibility mode for all users.
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
Valuedata : ~ WIN7RTM