02-11-2015 01:05 PM - edited 02-21-2020 08:04 PM
I just wanted to give the community a heads up in regards to the latest February 2015 Microsoft patches.KB3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error. You can fix this here:
Also updated in the article:
This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)
Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)
This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.”
02-11-2015 02:04 PM
FYI: on my Windows 8.1 system the christierney.com procedure was not sufficient to workaround the problem. I had to repeat the compatibility troubleshooter against "vpnagent.exe" before I could get VPN connections via my AnyConnect client.
("vpnagent.exe" is the local service that supports the client user interface.)
02-12-2015 02:48 AM
So, is there any info on which AnyConnect clients can work with KB3023607?
And if this is a bigger issue, does anyone know if Microsoft are working on a fix?
Thanks. Just wondering what to do about all my staff on Windows 8.1 who use AnyConnect.
02-12-2015 07:11 AM
Cisco Tracking ID: CSCus89729
Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.
There are two potential workarounds until Microsoft provides a fix
1. Windows 8 compatibility mode for the app
2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:
Control Panel / Programs / Programs and Features, click "View installed updates” on the left and locate and uninstall the update labeled with KB3023607. This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.
02-12-2015 07:11 AM
I've also opened a TAC case. Is it possible to make the BUG tracking ID public for us?
02-13-2015 05:24 AM
Same issue, Windows 8.1 with several users. Come on Cisco.
02-13-2015 06:12 AM
This is a defect in the Microsoft 02/10/15 patch and not a bug in the AnyConnect software. Microsoft is aware of this and is working on a fix. There are two possible workarounds until a fix is available, the first is to use Windows 8 compatibility mode for the app, the other is to uninstall this specific KB article (you would also lose other security fixes associated with it, so proceed with caution on this option).
02-13-2015 07:58 AM
Does Cisco have official response on this issue yet? Also, it would be great to know which version of ASA OS affected users are running (not all versions and interim releases have all necessary SSL security fixes). Also, not every sub release of AnyConnect client is the same. We are not experiencing any issues with AnyConnect 4.0.00051and AnyConnect 3.1.05060 currently installed in environment with this patch installed. All the PCs are mix of Windows 8.1 Pro and/or Windows 7 with IE11 (of course). Our OS is 188.8.131.52, latest Interim release, and we have everything except TLSv1.0 disabled (no SSLv3.0 allowed). Configuration of AnyConnect policies can also play a role here (SSL vs DTLS vs IKEv2). This issue is making the rounds over the Internet as a significant problem and is being brought up by my management - basically creating somewhat a concern. Clarification is necessary.
02-13-2015 08:13 AM
The issue is not the ASA or AnyConnect, it is a defect in Microsoft's February 2015 (02/10/15) security patch which affects all AnyConnect users on Windows 8.1 and a subset (unclear what subset yet) of users on Windows 7 with IE11. This has nothing to do with TLS versions which are enabled or disabled. Microsoft is aware of the defect that they introduced and are actively working on a fix.
Our public statement on the topic and a couple of workarounds can be found in the Cisco bug search tool (link below) for authorized Cisco.com users or you can view an abbreviated statement on our social media Facebook page at www.facebook.com/anyconnect
02-13-2015 09:18 AM
This article clearly only applies to Windows 8.1. On Windows 7 update 3023607 gets installed with update 3021952, and not with 3034682 (as referenced in the article). Also on my Windows 8.1 PCs KB3203607 shows as a separate updated, and not part of anything. The more I look at it, the more it looks like a corrupt update install behavior and not really a problem with update. All my updates, be that Windows 7 or Windows 8.1 are listed installed exactly in a manner described in MS article for MS15-009. Perhaps users affected got early versions of MS15-009 updates, while the rest of us got normal versions on 02/11. Cisco really needs to do better job on troubleshooting and documenting the issues.
02-13-2015 09:52 AM
We are very sorry you are not pleased with our analysis. We worked very hard to be responsive to customers in evaluating and reporting on the situation as soon as we learned about it.
We can confirm (since we are working directly with Microsoft on this issue) that it is due to a bug in the Windows 8.1 patch KB3012982 (which gets wrapped under KB3203607) and not a corrupt update install. This patch was wrapped in with the MS15-009 update for Windows 8.1 users.
As far as the few reports we have had with issues on Windows 7 w/ IE11, we have removed any reference to this pending further investigation since Microsoft does not believe that their update should affect W7 users.
02-15-2015 10:11 PM
Peter, It's been three days now since we had an update. Is there any update on this? With the bad weather the East Coast USA is experiencing, I have a heap of my remote staff now not able to remotely connect to work from home, and it's causing headaches.
There's some reports that 4.x verisons of AnyConnect Mobility may not be affected, but I can't roll that out on a whim.
02-16-2015 04:51 AM
MS is still working on putting out a patch but they have not given us any timeframe as to when this will go out. Since the fix will need to be released by Microsoft, my recommendation is to open up a direct case with them on this issue. While not perfect, we did publish a couple of workarounds for this topic.
02-17-2015 01:59 AM
We have an active case open with Microsoft and they have stated they intend to resolve this issue in the March security updates.
In the meantime, they have released a 'FixIt' which is available at https://support2.microsoft.com/kb/3023607.
02-17-2015 10:07 AM
Windows 8 computers unable to connect after KB3023607 installed. I tried Microsoft's Fix It 51033 however that does not resolve the issue. VPN Client says "Lost connection to VPN service. Reattaching...." We authenticate using AD + certificate, could the certificate be causing an issue as well? If I uninstall KB3023607 I am able to connect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: