Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(
Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.
This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.
On our system it occurred just 20 minutes after upgrading to 9.1.7. We've gone back to 9.1.6, realizing that this version is vulnerable. But 9.1.7 as it is now is unusable.
Ugh. I am now seeing this same issue on an ASA pair I upgraded last night. Looks like a roll back is in order until another interim is released.
Thanks for the info David.
Yes - 9.1(7) exhibited the issue. We got both the "Unable to create session directory" as well as inability to launch ASDM.
I rolled back to 9.1(6)10 and the problem went away.
I see the SA was updated yesterday and 9.1(6)11 has been made available.
9.1(7) remains on the download site and should be deferred in my opinion.
My device is an ASA5540 and hit the bug as well with the Version 9.1.7. Unfortunately got notice of this official bug ID hours later after I invested into failure search...
I have ASA Version 8.4(7)30 running now and it works.
From the release notes the IKE vulnerability should be solved there as well.
For me it is absurd that cisco knows this bug (CSCux45179) and provides this version to download!
Yesterday Cisco released a new Interim version for 9.1.6, patching only the referred IKE bug.
Anyone has tested or faced same SSL/ASDM issues?...Any complain?
I have 9.1(6)11 running on a test box and am able to connect with Anyconnect client and open ASDM. I do not have clientless vpn fully enabled; however, a clientless connection attempt does open the login portal and it attempts to open a connection.
We also had the same issue this morning, upgraded to 9.1.7 about 2 days ago and walked into a ton of calls hitting our Help Desk this morning with users unable to connect. We are running ASA 5520s.
We came from 220.127.116.11 which we were running for about 3 months without any issues. 18.104.22.168 also includes the IKE fixes so we are downgrading to that version in hopes that it is more stable.
Come on Cisco QA!!!!!!!!
Bug page says 22.214.171.124 is the Fixed Release but TAC says 126.96.36.199 will not be published until June.
Only fix is to downgrade to 9.6.111. Workaround is to reboot firewall every time AnyConnect stops working.
Official word from TAC on 188.8.131.52:
The 184.108.40.206 version is scheduled for around June, but it is possible to be release before. Developers have been working on this version since the IKE vulnerability fixed version was release.
9.1.7 Beta 4 has been released (9.1(7)_4 to be exact) :)
Release notes http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html
It has a patch for this SSL issue plus three others.