cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95032
Views
31
Helpful
47
Replies

Latest Microsoft Feb. 2015 patch breaks AnyConnect SMC

Todd Anderson
Level 1
Level 1

Hi all,

 

I just wanted to give the community a heads up in regards to the latest February 2015 Microsoft patches.KB3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error.  You can fix this here:

http://christierney.com/2015/02/11/cisco-anyconnect-failed-to-initialize-connection-subsystem/

 

Also updated in the article:

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.”

47 Replies 47

We have a work-around that is quick, for us.

 

We have put our apps exe's in Win 7 compatibility mode. That's it. No reboot/shim/anything else .required.

 

Thank you all for your help. Hopefully this helps someone else.

You can also make those same changes with the GUI by right clicking the executable and setting the compatibility level "for all users" to Windows 7.  There are two places on the same tab for setting compatibility, so make sure you set it in the right place.

Your screen shot shows that the tilde and space (~ ) is missing from the beginning of the compatibility level.

Thanks for these suggestions. I experienced the same problems on my Windows 8.1 machine. The compatibility workarounds were ineffective, but uninstalling the KB3023607 update restored normal function of Cisco Anyconnect.

 

Tyson Mock
Level 1
Level 1

I'm having the same issue... "failed to initialize connection subsystem"

Anyconnect v3.0.05178

I have Win8.1 Pro.  Setting the vpnui.exe file to run using Windows 7 compatibility and it works again.

 

However, I will add that I also use the legacy Cisco VPN client v5.0.07.0440 was working fine prior to the update and now it fails with "Reason 442: Failed to Enable Virtual Adapter".  Not sure if there is a workaround for the legacy VPN client or if this is the final nail in its coffin.  Running the legacy VPN client in compatibility mode does not address this new issue.

dannyngo99
Level 1
Level 1

Thanks Todd for posting this info solution. Hopefully Microsoft will provide us a permanent workaround solution.

Marvin Rhoads
Hall of Fame
Hall of Fame

Interesting - I have the latest February 2015 patches on a Windows 7 system and my AnyConnect 4.0.00051 VPN module is working fine.

From our analysis, the KB patch from Microsoft should only affect Windows 7 users with IE 11 (which is not there by default). It affects all Windows 8.1 users.

I have Windows 7 with IE 11 and the KB 3023607. Works fine, so it might not affect AnyConnect 4 or some other set of conditions I have?.

See screenshot below:

Not sure. We had trouble reproducing this permutation in house but have had a few reports of it.

I'm running into this issue now.  Windows 7 machine, IE 11.  If I'm connected via VPN (version 3.1.04072), IE 11 does not work at all.  It just sits and "spins" on any website I try.  However, I can access any sites through Chrome when using VPN.  If I disconnect from VPN, only then can I access sites via IE 11. 

I know this original post was about Windows 8.  Is there anything being looked at for this issue on Windows 7 with IE 11?

I just upgraded to IE 11 last week.  I had no problem with VPN connection when I had IE 9.

Oleg Volkov
Spotlight
Spotlight

Hello


Dear Sirs!
I find two trouble!


One trouble - I get the error "Failed to initialize connection subsystem"

It is resolved by the next step:

1. Go to folder with AnyConnect client, for 64bit OS, "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client"
For 32bit OS "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client"


2. Find the vpnui.exe file, right click -> properties, go to Compatibility tab, and select "Run this program in compatibility mode for: Windows 8"


Also, after update windows 8.1, I think, it is no longer work with ssl encryption rc4-sha1 !
When my config contain the ssl encryption rc4-sha1
I get the error:
"Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator".


After I change it to: ssl encryption aes128-sha1, AnyConnect client can connect to ASA.

Have a nice day!

 

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Peter Davis
Cisco Employee
Cisco Employee

Microsoft has released a "fixit" to workaround the regression in their WIndows 8.1 KB3023607 02/10/15 patch. This is accessible by following the instructions at:

https://support.microsoft.com/kb/3023607

Once the fixit is installed, Cisco recommends you reboot (or logoff/logon) your PC as you need to fully restart the AnyConnect service (not just the User Interface), and not all users will have access to do so.

Microsoft's "fixit" covers the standard AnyConnect User Interface. It will not work for customers who are controlling AnyConnect via its API.

Note: The Fixit Microsoft has released is not a fix for the OS regression.

Microsoft has informed us that they will not be pushing out an updated fixit for customers leveraging the API. They recommend compatibility mode for both vpnagent.exe and vpnui.exe as a temporary workaround for these customers.

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe  <--- also do the same for vpnagent.exe
Valuedata : ~ WIN7RTM

Microsoft is planning to release a Windows Update patch on 03/10/15 to correct the underlying issue. Microsoft's dates are subject to change.

 

Thanks for the update Peter,  Do you by chance know if the patch that is tentatively slated for March will supersede the KB3023607 patch.  I believe it was a part of the Rollup for IE and just wondering how this will play in terms of Windows Updates.  Will the IE Cumulative update be revised to include the updated patch(KB3023607) or will MS just release a revised patch for KB3023607?  We don't want to be left unpatched after the dust settles on the issue and the new patch is released in what ever form it comes. 

Thanks again.

We unfortunately do not have any details from Microsoft on how they will roll out this patch in March (subject to change). You may want to consider opening up a direct trouble ticket with them to see if they will supply you with this information.