Solved: Marvin,

Michael Mangone · ‎02-16-2016

Hello,

We have an ASA 5510 that was running stable on 9.1(5)21 with ASDM 7.3.2. After upgrading to 9.1.7 and ASDM 7.5.2-153 per CVE-2016-1287 from Cisco we are seeing issues with users being able to connect using AnyConnect or the SSL WebVPN and we are unable to launch ASDM. The errors in AnyConnect state "No valid certificates available for authentication" and the ASDM java console shows "Unexpected end of file from server." We do not have certificates configured for use for authentication and all our certificates installed on the ASA are valid (read - not expired). I have contacted Cisco TAC regarding this issue, but I was wondering if anyone had ran across this in the past few days since the notice was released.

Please let me know what additional information you may need.

Thanks in advance.

Shivapramod M · ‎02-17-2016

Hi,

From the looks of it you are hitting the bug

https://tools.cisco.com/bugsearch/bug/CSCux45179/?reffering_site=dumpcr

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marvin Rhoads · ‎02-17-2016

There's a thread covering this:

https://supportforums.cisco.com/discussion/12912621/cscux45179-ssl-sessions-stop-processing-unable-create-session-directory-error

Bottom line - Cisco updated the SA on 16 February and is now advising 9.1(6)11 as the patched version for legacy 5500 series.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

View solution in original post

Shivapramod M · ‎02-17-2016

Hi,

From the looks of it you are hitting the bug

https://tools.cisco.com/bugsearch/bug/CSCux45179/?reffering_site=dumpcr

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Michael Mangone · ‎02-17-2016

Shivapramod,

Thank you for your reply. I looked over that bug and then was contacted by Cisco TAC. Cisco confirmed they are advising 9.1(6)11 as the patched version and they are releasing 9.1(7)2 tomorrow (02/18/2016). Both 9.1(6)11 and 9.1(7)2 will not have bug CSCus45179 or the IPSec vulnerability.

Thanks for your help.

James Strong · ‎02-19-2016

The information I have is that 9.1.7.2 will not be released until Thursday, 2/2216.

Michael Mangone · ‎02-19-2016

James,

I would have to agree with you since I still do not see 9.1(7)2 on the Cisco website. However, I was told by Cisco TAC that it should have been available yesterday.

That said, I'm no longer in a huge rush to get the update since the bug CSCux45179 and the IPSec vulnerability are not found in 9.1(6)11.

Thanks.

Marvin Rhoads · ‎02-17-2016

There's a thread covering this:

https://supportforums.cisco.com/discussion/12912621/cscux45179-ssl-sessions-stop-processing-unable-create-session-directory-error

Bottom line - Cisco updated the SA on 16 February and is now advising 9.1(6)11 as the patched version for legacy 5500 series.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Michael Mangone · ‎02-17-2016

Marvin,

Thank you for your reply. I looked over that thread and then was contacted by Cisco TAC. Cisco confirmed they are advising 9.1(6)11 as the patched version and they are releasing 9.1(7)2 tomorrow (02/18/2016). Both 9.1(6)11 and 9.1(7)2 will not have bug CSCus45179 or the IPSec vulnerability.

Thanks for your help.

ASDM & AnyConnect not working after 9.1.7 upgrade