cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8406
Views
9
Helpful
34
Replies

CSCux45179 - SSL sessions stop processing -"Unable to create session directory" error

patoberli
VIP Advisor VIP Advisor
VIP Advisor

Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(

Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.

This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.

34 Replies 34

David Cebula
Beginner
Beginner

The bug will prevent any access from AnyConnect and even prevent opening ASDM.

Happened on my ASA 5520 about 4 hours after updating to 9.1.7.

I was able to work around by failing over to the standby server in my HA pair which restored functionality. Then rebooted the one with the problem and failed back and it worked there now too.

Just to add another datapoint; same issue with a 5520 pair after going to 9.1.7 in a 0-downtime upgrade.  Forced another failover and it's working on the standby unit now.  Guess I'll monitor this bug, thread, and any other resources, and failover and reboot the non-active as needed.

Just not got off the phone with Cisco TAC. The engineer highly recommend downgrading to version 9.0.4.38. from version 9.1.7 Says the IKE v1 & v2 vulnerability does not exist in this version and the DTLS issue that is found in 9.1.1 also does not exist  as well. I too am having the WebVPN problem where no matter which profile you select, the page refreshes and the group defaults back. You don't even get a chance to log in. 

Hello All, just spoke with my TAC FE, he told me that Cisco is now recommending that I down grade to version 9.1.6.11 which is an interim fix to get you off of version 9.1.7. that is so buggy. They claim it fixes the IKE vulnerabilities, the SSL and WebVPN issues and in my case the DTLS issue that hindered us for so long until we got our latency problem figured out. I believe someone else posted the same version code as the temporary fix. I am going to downgrade both of my ASA-5520's tomorrow morning, we'll see what happens.   

Heartland-

How did the downgrade to 9.1.6(11) go? We also have this issue and got the exact same recommendation from TAC. 

Documentation online though, has not kept up as the bug id lists a 9.1(6.111) has being affected, but CSCux45179 not even listed.

Thank You.

Our ASAs also let no more VPN connections in (sporadic) and ASDM wasn't able to connect to ASAs after we upgraded to v9.1.7 a week ago. The logs showed up some vpnlb errors.To get things running again, several reboots were needed in a timely manner of about every 4-8h.

Last night I applied  v9.1.6.11 then. During the last 20h, I've not seen any issues anymore. So let 's track it further on....

Regards  Pete 

The same issue with ASA5550, when I did the upgrade to 9.1.7, it's a big issue and Cisco should resolve it as soon as possible coz every time I should restart the unworking active one.

Kanes Ramasamy
Beginner
Beginner

Hi Guys,

Any progress on this bug? Is it fixed?

Thanks and Regards,

Kanes.R

So far it doesn't look like it. Here is the Bug: https://tools.cisco.com/bugsearch/bug/CSCux45179

Hi Patoberli,

Thanks for the information. 

Thanks and Regards,

Kanes.R

David Cebula
Beginner
Beginner

It's been almost 72 hours since I rebooted to clear the condition and it has not re-occurred. Has it re-occurred for anybody else?

Also if you did experience the bug, I strongly encourage you to open a TAC case and cite the bug id. 

Here not yet, but it happened once on both of my boxes. One I rebooted on Friday and the other on Sunday.

btomlins
Beginner
Beginner

Having this happen also on ASA pair that is running a Web Portal + Anyconnect.  It's a very busy appliance and have had to reboot twice already this morning.

We had to reboot or trigger a failover our ASA three times since Saturday morning after upgrading to 9.1.7 on Friday afternoon.

Also there is a problem with the login on the web frontend where the user can download the AnyConnect-Client. When they try to choose their user-group they belong to it rebounds to the default group no matter how many groups we offer. On an ASA with 9.1.6 this problem doesn't show up.

Regards,

C. Ruckelshausen
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: