We have been seeing a growing number of complaints from users that when they are connected via AnyConnect 3.1.00495 on Windows that they are getting BSODs a few minutes after the connection is established. We are running McAfee HIPS version 8.0 / Build Number 18.104.22.1681 / Security Content Version 22.214.171.12434 / Patch 2. The BSOD always seems to come from mfefirek.sys with DRIVER_IRQL_NOT_LESS_OR_EQUAL. I can stop the HIPS service in Windows and restart the computer and the BSODs stop.
Please enable minidumps on machines affected, collect minidump and a DART package from Anyconnect and open a Cisco TAC case.
We will look into the crash dump and redirect you mcaffee if it's something on their side.
Any update on this? Looks like we're possibly having the same issue. We're in pilot with the AC 3.1 client and there are a few people who have indicated that they're experiencing blue screens.
I'm working with a couple of them to try and collect the bluescreen information but this McAfee module has been implicated.
I have opened a TAC case and a ticket with McAfee. Cisco has deffered the issue to McAfee as the mini-dumps all point to McAfee HIPS. McAfee has supplied a Hotfix for HIPS, but we are still in the testing phases and don't have enough data to determine if the hotfix resolves the issue.
In testing prior to the hot fix from McAfee, several users had indicated that if they wait ~30 minutes after starting up the computer before they establish the AnyConnect session they don't get the BSOD. You may want to see if this is the same for your users to at least give them a means to connect.
Excellent. Thanks so much for the quick reply.
We've only seen the issue on a couple of machines but are very early in the pilot testing. The issue has been observed sporadically and sometimes doesn't happen at all even while using the client for hours. Our speculation was that the HIPS agent was dormant and the crash would happen when the agent initiated an action. Perhaps it's more a matter that the user was idle for 30+ minutes after boot-up but before initiating an AnyConnect connection.
Do you have any info on the hotfix you could share with us like case # or hotfix number so we can reference that to our McAfee support team?