cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6398
Views
9
Helpful
34
Replies
patoberli
VIP Advisor

CSCux45179 - SSL sessions stop processing -"Unable to create session directory" error

Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(

Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.

This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.

34 REPLIES 34
jbredenbeek
Beginner

On our system it occurred just 20 minutes after upgrading to 9.1.7. We've gone back to 9.1.6, realizing that this version is vulnerable. But 9.1.7 as it is now is unusable.

David Cebula
Beginner

I just checked on my TAC case. My engineer says an interim version 9.1.7(2) is planned for release on Thursday that will resolve the issue. 

Ugh. I am now seeing this same issue on an ASA pair I upgraded last night. Looks like a roll back is in order until another interim is released.

Thanks for the info David.

To which release did you upgrade? I assume 9.1.7?

Yes - 9.1(7) exhibited the issue. We got both the "Unable to create session directory" as well as inability to launch ASDM.

I rolled back to 9.1(6)10 and the problem went away.

cebuladavid  

I see the SA was updated yesterday and 9.1(6)11 has been made available.

http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html

9.1(7) remains on the download site and should be deferred in my opinion.

Interim's 9.1.6(11) and 9.1.7(2) are both available now.

Marcus Hunold
Beginner

My device is an ASA5540 and hit the bug as well with the Version 9.1.7. Unfortunately got notice of this official bug ID hours later after I invested into failure search...

I have ASA Version 8.4(7)30 running now and it works.

From the release notes the IKE vulnerability should be solved there as well.

For me it is absurd that cisco knows this bug (CSCux45179) and provides this version to download!

christian_jorge
Beginner

Yesterday Cisco released a new Interim version for 9.1.6, patching only the referred IKE bug.

Anyone has tested or faced same SSL/ASDM issues?...Any complain?

Regards

Christian

I have 9.1(6)11 running on a test box and am able to connect with Anyconnect client and open ASDM. I do not have clientless vpn fully enabled; however, a clientless connection attempt does open the login portal and it attempts to open a connection.

rynocmu79
Beginner

We also had the same issue this morning, upgraded to 9.1.7 about 2 days ago and walked into a ton of calls hitting our Help Desk this morning with users unable to connect.  We are running ASA 5520s.

We came from 9.1.6.10 which we were running for about 3 months without any issues.  9.1.6.11 also includes the IKE fixes so we are downgrading to that version in hopes that it is more stable.

Come on Cisco QA!!!!!!!!

Bug page says 9.1.7.2 is the Fixed Release but TAC says 9.1.7.2 will not be published until June.

Only fix is to downgrade to 9.6.111. Workaround is to reboot firewall every time AnyConnect stops working.

I have word from Cisco that 9.1(7.2) is undergoing QA testing now and will be released as soon as that clears.

Official word from TAC on 9.1.7.2:

The 9.1.7.2 version is scheduled for around June, but it is possible to be release before. Developers have been working on this version since the IKE vulnerability fixed version was release.

 

9.1.7 Beta 4 has been released (9.1(7)_4 to be exact) :)

Release notes http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

It has a patch for this SSL issue plus three others.