cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95050
Views
31
Helpful
47
Replies

Latest Microsoft Feb. 2015 patch breaks AnyConnect SMC

Todd Anderson
Level 1
Level 1

Hi all,

 

I just wanted to give the community a heads up in regards to the latest February 2015 Microsoft patches.KB3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error.  You can fix this here:

http://christierney.com/2015/02/11/cisco-anyconnect-failed-to-initialize-connection-subsystem/

 

Also updated in the article:

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.”

47 Replies 47

You did reboot after the installation? That is stated on the download page (at least a logout/login).

Here it works fine with the Fixit, but we use username/password without certificate.

Tried rebooting and two different computers, did not work with Fix It. Tested with AnyConnect version 3.1.05187 and also tried upgrading 3.1.06079.

Did you ever resolve your issues with this? We did by putting our exe's in Win7 compat mode. Simple and quick.

 .

This is the first report we have had that Microsoft's fixit did not work for someone as a workaround.  Please try to re-install KB3023607 and the fixit, restart your machine and if it does not work, please send us a Diagnostics Report (DART) from AnyConnect to ac-mobile-feedback@cisco.com. What version of AnyConnect are you using? Perhaps it is an old version and you should be updating.

We are having the exact same issue. Hundreds of our customers are down. Tried the Microsoft Fix-It, terrible results. We have only had 3 successes with that. We are still uninstalling and hiding the update. Working our way through them but this is ridiculous.

 

I have a clean 8.1 vm and can re-create the Fix-It not working. Also have 8.1 on my home computer and can re-create it there too. I would LOVE to help if we can get something for our customers.

Sorry to hear that. Please make sure you are using current AnyConnect releases of 3.1.x or 4.0.x to make sure you are not hitting an old bug.  Once doing that, if you are still hitting failures, please open a case with Microsoft for further troubleshooting.

Thank you,

 

we have tried every version of AnyConnect we have including the 3.1.06079.

 

We are opening a ticket with Microsoft.

Please send us a DART (Diagnostics report). You can reach us at ac-mobile-feedback@cisco.com. In parallel, please open up a case with Microsoft if the fixit is not working for you. Microsoft has told us that the fixit is a workaround, it is not a fix for the OS regression, which are they planning to fix in their March Update (subject to change).

Peter,

 

I just sent you a Dart bundle. Had some of my guys test the newest AC and the Newest fix on a couple of our end-users also. Just to make sure. That's why it took me so long to respond. No luck.

No problem. Please confirm you see Microsoft's "fixit" installed under Control Panel and that you have logged out/in or rebooted after installing it.  We are examining your logs now.

In Dan's case, the Microsoft "fixit" does not cover the API usage, only the normal User Interface for AnyConnect. We have escalated this issue back to Microsoft to inform them of this gap. Unfortunately the "fixit" is a workaround a not a full fix for the OS regression, which Microsoft is planning for their March patch cycle (Microsoft's dates are subject to change).

 

We will also document this limitation with their fixit in our release notes.

 

Microsoft has informed us that they will not be pushing out an updated fixit for customers leveraging the API. They recommend compatibility mode for both vpnagent.exe and vpnui.exe as a temporary workaround for these customers.

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe  <--- also do the same for vpnagent.exe
Valuedata : ~ WIN7RTM

We were able to solve the issue (thus far) using the Microsoft FixIt and by adding the following registry entries:  Neither the FixIt nor the registry entries alone solved the issue.  These entries set the two programs to Windows 7 compatibility mode for all users.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
Valuedata : ~ WIN7RTM

Peter,

 

I added the 2 reg entries to my computer, rebooted, and still can't connect. I verified that the shim is installed.

 

I attached a screenshot of my registry entries.

 

Any ideas?