Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(
Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.
This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.
The bug will prevent any access from AnyConnect and even prevent opening ASDM.
Happened on my ASA 5520 about 4 hours after updating to 9.1.7.
I was able to work around by failing over to the standby server in my HA pair which restored functionality. Then rebooted the one with the problem and failed back and it worked there now too.
Just not got off the phone with Cisco TAC. The engineer highly recommend downgrading to version 188.8.131.52. from version 9.1.7 Says the IKE v1 & v2 vulnerability does not exist in this version and the DTLS issue that is found in 9.1.1 also does not exist as well. I too am having the WebVPN problem where no matter which profile you select, the page refreshes and the group defaults back. You don't even get a chance to log in.
Hello All, just spoke with my TAC FE, he told me that Cisco is now recommending that I down grade to version 184.108.40.206 which is an interim fix to get you off of version 9.1.7. that is so buggy. They claim it fixes the IKE vulnerabilities, the SSL and WebVPN issues and in my case the DTLS issue that hindered us for so long until we got our latency problem figured out. I believe someone else posted the same version code as the temporary fix. I am going to downgrade both of my ASA-5520's tomorrow morning, we'll see what happens.
Our ASAs also let no more VPN connections in (sporadic) and ASDM wasn't able to connect to ASAs after we upgraded to v9.1.7 a week ago. The logs showed up some vpnlb errors.To get things running again, several reboots were needed in a timely manner of about every 4-8h.
Last night I applied v220.127.116.11 then. During the last 20h, I've not seen any issues anymore. So let 's track it further on....
We had to reboot or trigger a failover our ASA three times since Saturday morning after upgrading to 9.1.7 on Friday afternoon.
Also there is a problem with the login on the web frontend where the user can download the AnyConnect-Client. When they try to choose their user-group they belong to it rebounds to the default group no matter how many groups we offer. On an ASA with 9.1.6 this problem doesn't show up.