topic Hi, in Network Security

ASDM & AnyConnect not working after 9.1.7 upgrade

Michael Mangone — Tue, 12 Mar 2019 07:19:09 GMT

Hello,

We have an ASA 5510 that was running stable on 9.1(5)21 with ASDM 7.3.2. After upgrading to 9.1.7 and ASDM 7.5.2-153 per CVE-2016-1287 from Cisco we are seeing issues with users being able to connect using AnyConnect or the SSL WebVPN and we are unable to launch ASDM. The errors in AnyConnect state "No valid certificates available for authentication" and the ASDM java console shows "Unexpected end of file from server." We do not have certificates configured for use for authentication and all our certificates installed on the ASA are valid (read - not expired). I have contacted Cisco TAC regarding this issue, but I was wondering if anyone had ran across this in the past few days since the notice was released.

Please let me know what additional information you may need.

Thanks in advance.

Hi,

Shivapramod M — Wed, 17 Feb 2016 09:04:27 GMT

Hi,

From the looks of it you are hitting the bug

https://tools.cisco.com/bugsearch/bug/CSCux45179/?reffering_site=dumpcr

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

There's a thread covering

Marvin Rhoads — Wed, 17 Feb 2016 14:27:00 GMT

There's a thread covering this:

https://supportforums.cisco.com/discussion/12912621/cscux45179-ssl-sessions-stop-processing-unable-create-session-directory-error

Bottom line - Cisco updated the SA on 16 February and is now advising 9.1(6)11 as the patched version for legacy 5500 series.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Marvin,

Michael Mangone — Wed, 17 Feb 2016 18:19:26 GMT

Marvin,

Thank you for your reply. I looked over that thread and then was contacted by Cisco TAC. Cisco confirmed they are advising 9.1(6)11 as the patched version and they are releasing 9.1(7)2 tomorrow (02/18/2016). Both 9.1(6)11 and 9.1(7)2 will not have bug CSCus45179 or the IPSec vulnerability.

Thanks for your help.

Shivapramod,

Michael Mangone — Wed, 17 Feb 2016 19:25:20 GMT

Shivapramod,

Thank you for your reply. I looked over that bug and then was contacted by Cisco TAC. Cisco confirmed they are advising 9.1(6)11 as the patched version and they are releasing 9.1(7)2 tomorrow (02/18/2016). Both 9.1(6)11 and 9.1(7)2 will not have bug CSCus45179 or the IPSec vulnerability.

Thanks for your help.

The information I have is

James Strong — Fri, 19 Feb 2016 16:41:28 GMT

The information I have is that 9.1.7.2 will not be released until Thursday, 2/2216.

James,

Michael Mangone — Fri, 19 Feb 2016 22:44:35 GMT

James,

I would have to agree with you since I still do not see 9.1(7)2 on the Cisco website. However, I was told by Cisco TAC that it should have been available yesterday.

That said, I'm no longer in a huge rush to get the update since the bug CSCux45179 and the IPSec vulnerability are not found in 9.1(6)11.

Thanks.