I just wanted to give the community a heads up in regards to the latest February 2015 Microsoft patches.KB3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error. You can fix this here:
Also updated in the article:
This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)
Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)
This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.”
FYI: on my Windows 8.1 system the christierney.com procedure was not sufficient to workaround the problem. I had to repeat the compatibility troubleshooter against "vpnagent.exe" before I could get VPN connections via my AnyConnect client.
("vpnagent.exe" is the local service that supports the client user interface.)
So, is there any info on which AnyConnect clients can work with KB3023607?
And if this is a bigger issue, does anyone know if Microsoft are working on a fix?
Thanks. Just wondering what to do about all my staff on Windows 8.1 who use AnyConnect.
Cisco Tracking ID: CSCus89729
Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.
There are two potential workarounds until Microsoft provides a fix
1. Windows 8 compatibility mode for the app
2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:
Control Panel / Programs / Programs and Features, click "View installed updates” on the left and locate and uninstall the update labeled with KB3023607. This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.
This is a defect in the Microsoft 02/10/15 patch and not a bug in the AnyConnect software. Microsoft is aware of this and is working on a fix. There are two possible workarounds until a fix is available, the first is to use Windows 8 compatibility mode for the app, the other is to uninstall this specific KB article (you would also lose other security fixes associated with it, so proceed with caution on this option).
Does Cisco have official response on this issue yet? Also, it would be great to know which version of ASA OS affected users are running (not all versions and interim releases have all necessary SSL security fixes). Also, not every sub release of AnyConnect client is the same. We are not experiencing any issues with AnyConnect 4.0.00051and AnyConnect 3.1.05060 currently installed in environment with this patch installed. All the PCs are mix of Windows 8.1 Pro and/or Windows 7 with IE11 (of course). Our OS is 184.108.40.206, latest Interim release, and we have everything except TLSv1.0 disabled (no SSLv3.0 allowed). Configuration of AnyConnect policies can also play a role here (SSL vs DTLS vs IKEv2). This issue is making the rounds over the Internet as a significant problem and is being brought up by my management - basically creating somewhat a concern. Clarification is necessary.
The issue is not the ASA or AnyConnect, it is a defect in Microsoft's February 2015 (02/10/15) security patch which affects all AnyConnect users on Windows 8.1 and a subset (unclear what subset yet) of users on Windows 7 with IE11. This has nothing to do with TLS versions which are enabled or disabled. Microsoft is aware of the defect that they introduced and are actively working on a fix.
Our public statement on the topic and a couple of workarounds can be found in the Cisco bug search tool (link below) for authorized Cisco.com users or you can view an abbreviated statement on our social media Facebook page at www.facebook.com/anyconnect
This article clearly only applies to Windows 8.1. On Windows 7 update 3023607 gets installed with update 3021952, and not with 3034682 (as referenced in the article). Also on my Windows 8.1 PCs KB3203607 shows as a separate updated, and not part of anything. The more I look at it, the more it looks like a corrupt update install behavior and not really a problem with update. All my updates, be that Windows 7 or Windows 8.1 are listed installed exactly in a manner described in MS article for MS15-009. Perhaps users affected got early versions of MS15-009 updates, while the rest of us got normal versions on 02/11. Cisco really needs to do better job on troubleshooting and documenting the issues.
We are very sorry you are not pleased with our analysis. We worked very hard to be responsive to customers in evaluating and reporting on the situation as soon as we learned about it.
We can confirm (since we are working directly with Microsoft on this issue) that it is due to a bug in the Windows 8.1 patch KB3012982 (which gets wrapped under KB3203607) and not a corrupt update install. This patch was wrapped in with the MS15-009 update for Windows 8.1 users.
As far as the few reports we have had with issues on Windows 7 w/ IE11, we have removed any reference to this pending further investigation since Microsoft does not believe that their update should affect W7 users.
Peter, It's been three days now since we had an update. Is there any update on this? With the bad weather the East Coast USA is experiencing, I have a heap of my remote staff now not able to remotely connect to work from home, and it's causing headaches.
There's some reports that 4.x verisons of AnyConnect Mobility may not be affected, but I can't roll that out on a whim.
MS is still working on putting out a patch but they have not given us any timeframe as to when this will go out. Since the fix will need to be released by Microsoft, my recommendation is to open up a direct case with them on this issue. While not perfect, we did publish a couple of workarounds for this topic.
We have an active case open with Microsoft and they have stated they intend to resolve this issue in the March security updates.
In the meantime, they have released a 'FixIt' which is available at https://support2.microsoft.com/kb/3023607.
Windows 8 computers unable to connect after KB3023607 installed. I tried Microsoft's Fix It 51033 however that does not resolve the issue. VPN Client says "Lost connection to VPN service. Reattaching...." We authenticate using AD + certificate, could the certificate be causing an issue as well? If I uninstall KB3023607 I am able to connect.