Bug page says 9.1.7.2 is the - Page 2

patoberli · ‎02-12-2016

Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(

Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.

This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.

jbredenbeek · ‎02-16-2016

On our system it occurred just 20 minutes after upgrading to 9.1.7. We've gone back to 9.1.6, realizing that this version is vulnerable. But 9.1.7 as it is now is unusable.

David Cebula · ‎02-16-2016

I just checked on my TAC case. My engineer says an interim version 9.1.7(2) is planned for release on Thursday that will resolve the issue.

Marvin Rhoads · ‎02-16-2016

Ugh. I am now seeing this same issue on an ASA pair I upgraded last night. Looks like a roll back is in order until another interim is released.

Thanks for the info David.

patoberli · ‎02-16-2016

To which release did you upgrade? I assume 9.1.7?

Marvin Rhoads · ‎02-17-2016

Yes - 9.1(7) exhibited the issue. We got both the "Unable to create session directory" as well as inability to launch ASDM.

I rolled back to 9.1(6)10 and the problem went away.

Marvin Rhoads · ‎02-17-2016

cebuladavid

I see the SA was updated yesterday and 9.1(6)11 has been made available.

http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html

9.1(7) remains on the download site and should be deferred in my opinion.

David Cebula · ‎02-22-2016

Interim's 9.1.6(11) and 9.1.7(2) are both available now.

Marcus Hunold · ‎02-17-2016

My device is an ASA5540 and hit the bug as well with the Version 9.1.7. Unfortunately got notice of this official bug ID hours later after I invested into failure search...

I have ASA Version 8.4(7)30 running now and it works.

From the release notes the IKE vulnerability should be solved there as well.

For me it is absurd that cisco knows this bug (CSCux45179) and provides this version to download!

Christian Jorge · ‎02-17-2016

Yesterday Cisco released a new Interim version for 9.1.6, patching only the referred IKE bug.

Anyone has tested or faced same SSL/ASDM issues?...Any complain?

Regards

Christian

BJ · ‎02-17-2016

I have 9.1(6)11 running on a test box and am able to connect with Anyconnect client and open ASDM. I do not have clientless vpn fully enabled; however, a clientless connection attempt does open the login portal and it attempts to open a connection.

rynocmu79 · ‎02-18-2016

We also had the same issue this morning, upgraded to 9.1.7 about 2 days ago and walked into a ton of calls hitting our Help Desk this morning with users unable to connect. We are running ASA 5520s.

We came from 9.1.6.10 which we were running for about 3 months without any issues. 9.1.6.11 also includes the IKE fixes so we are downgrading to that version in hopes that it is more stable.

Come on Cisco QA!!!!!!!!

OneNeck TDC Operations · ‎02-18-2016

Bug page says 9.1.7.2 is the Fixed Release but TAC says 9.1.7.2 will not be published until June.

Only fix is to downgrade to 9.6.111. Workaround is to reboot firewall every time AnyConnect stops working.

Marvin Rhoads · ‎02-18-2016

I have word from Cisco that 9.1(7.2) is undergoing QA testing now and will be released as soon as that clears.

dwilsonccna · ‎02-19-2016

Official word from TAC on 9.1.7.2:

The 9.1.7.2 version is scheduled for around June, but it is possible to be release before. Developers have been working on this version since the IKE vulnerability fixed version was release.

patoberli · ‎02-21-2016

9.1.7 Beta 4 has been released (9.1(7)_4 to be exact) :)

Release notes http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

It has a patch for this SSL issue plus three others.

CSCux45179 - SSL sessions stop processing -"Unable to create session directory" error