Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9677
Views
9
Helpful
34
Replies

CSCux45179 - SSL sessions stop processing -"Unable to create session directory" error

patoberli
VIP Alumni
VIP Alumni

‎02-12-2016 08:06 AM - edited ‎03-20-2019 08:51 PM

Just hit the bug CSCux45179 today after I upgraded yesterday to 9.1.7 because of the high critical IPSEC vulnerability. As this is my VPN gateway, this is a bit problematic :(

Since I rebooted the ASA it works again, but I wonder for how long. The last uptime was only ~30 hours.

This here is just as a warning for you. If anybody finds a workaround, I would happily test it out.

17 people had this problem
Labels:
0 Helpful
34 Replies 34

David Cebula
Level 1
Level 1

‎02-12-2016 08:28 AM

The bug will prevent any access from AnyConnect and even prevent opening ASDM.

Happened on my ASA 5520 about 4 hours after updating to 9.1.7.

I was able to work around by failing over to the standby server in my HA pair which restored functionality. Then rebooted the one with the problem and failed back and it worked there now too.

0 Helpful

markmayfield
Level 1
Level 1
In response to David Cebula

‎02-12-2016 10:42 PM

Just to add another datapoint; same issue with a 5520 pair after going to 9.1.7 in a 0-downtime upgrade.  Forced another failover and it's working on the standby unit now.  Guess I'll monitor this bug, thread, and any other resources, and failover and reboot the non-active as needed.

0 Helpful

heartland.health
Level 1
Level 1
In response to markmayfield

‎02-16-2016 12:10 PM

Just not got off the phone with Cisco TAC. The engineer highly recommend downgrading to version 9.0.4.38. from version 9.1.7 Says the IKE v1 & v2 vulnerability does not exist in this version and the DTLS issue that is found in 9.1.1 also does not exist  as well. I too am having the WebVPN problem where no matter which profile you select, the page refreshes and the group defaults back. You don't even get a chance to log in. 

0 Helpful

heartland.health
Level 1
Level 1
In response to heartland.health

‎02-19-2016 12:18 AM

Hello All, just spoke with my TAC FE, he told me that Cisco is now recommending that I down grade to version 9.1.6.11 which is an interim fix to get you off of version 9.1.7. that is so buggy. They claim it fixes the IKE vulnerabilities, the SSL and WebVPN issues and in my case the DTLS issue that hindered us for so long until we got our latency problem figured out. I believe someone else posted the same version code as the temporary fix. I am going to downgrade both of my ASA-5520's tomorrow morning, we'll see what happens.   

0 Helpful

NOEL MELTON
Level 1
Level 1
In response to heartland.health

‎02-19-2016 09:09 AM

Heartland-

How did the downgrade to 9.1.6(11) go? We also have this issue and got the exact same recommendation from TAC. 

Documentation online though, has not kept up as the bug id lists a 9.1(6.111) has being affected, but CSCux45179 not even listed.

Thank You.

0 Helpful

Peter Spycher
Level 1
Level 1
In response to heartland.health

‎02-20-2016 11:25 AM

Our ASAs also let no more VPN connections in (sporadic) and ASDM wasn't able to connect to ASAs after we upgraded to v9.1.7 a week ago. The logs showed up some vpnlb errors.To get things running again, several reboots were needed in a timely manner of about every 4-8h.

Last night I applied  v9.1.6.11 then. During the last 20h, I've not seen any issues anymore. So let 's track it further on....

Regards  Pete 

0 Helpful

Claudio Fini
Level 1
Level 1
In response to David Cebula

‎02-14-2016 01:41 PM

The same issue with ASA5550, when I did the upgrade to 9.1.7, it's a big issue and Cisco should resolve it as soon as possible coz every time I should restart the unworking active one.

0 Helpful

Kanes Ramasamy
Level 1
Level 1

‎02-15-2016 02:08 AM

Hi Guys,

Any progress on this bug? Is it fixed?

Thanks and Regards,

Kanes.R

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Kanes Ramasamy

‎02-15-2016 02:16 AM

So far it doesn't look like it. Here is the Bug: https://tools.cisco.com/bugsearch/bug/CSCux45179

0 Helpful

Kanes Ramasamy
Level 1
Level 1
In response to patoberli

‎02-15-2016 02:18 AM

Hi Patoberli,

Thanks for the information. 

Thanks and Regards,

Kanes.R

0 Helpful

David Cebula
Level 1
Level 1

‎02-15-2016 07:23 AM

It's been almost 72 hours since I rebooted to clear the condition and it has not re-occurred. Has it re-occurred for anybody else?

Also if you did experience the bug, I strongly encourage you to open a TAC case and cite the bug id. 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to David Cebula

‎02-15-2016 07:32 AM

Here not yet, but it happened once on both of my boxes. One I rebooted on Friday and the other on Sunday.

0 Helpful

btomlins
Level 1
Level 1

‎02-15-2016 08:01 AM

Having this happen also on ASA pair that is running a Web Portal + Anyconnect.  It's a very busy appliance and have had to reboot twice already this morning.

0 Helpful

Carsten Ruckelshausen
Level 1
Level 1

‎02-16-2016 12:51 AM

We had to reboot or trigger a failover our ASA three times since Saturday morning after upgrading to 9.1.7 on Friday afternoon.

Also there is a problem with the login on the web frontend where the user can download the AnyConnect-Client. When they try to choose their user-group they belong to it rebounds to the default group no matter how many groups we offer. On an ASA with 9.1.6 this problem doesn't show up.

Regards,

C. Ruckelshausen
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents