cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13377
Views
0
Helpful
12
Replies

SSLVPN and Microsoft Security Update KB2585542

LSThree MIS
Level 1
Level 1

Has anyone else encountered the SSLVPN not functioning on a Windows client AFTER installing KB2585542?  If we install the update, we can't use SSL VPN with the AnyConnect client until the update is removed.

12 Replies 12

Marcin Latosiewicz
Cisco Employee
Cisco Employee

What platform are you connecting to.

On IOS side we're tracking this via:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx38806

We are connecting to a 1941W router using IOS c1900-universalk9-mz.SPA.152-2.T.bin with AnyConnect version 2.5.3055 and 3.0.5075

Yes, we are having the same problem as you LSThreeMIS. The only solution we have found thus far is to uninstall the update. We are still looking into it ourselves to see if we can find an answer that does not involve uninstalling the MS update.

Same here, we have WSUS pulling the update if it was already applied, but that seems to have introduced another issue with the PC/Laptop getting stuck while shutting down windows 7.  Hopefully this gets resolved soon.

So is the problem with the Cisco AnyConnect VPN client or with the IOS? Or is it both the Cisco AnyConnect client and the IOS? We are running AnyConnect 2.5.3055 and IOS 12.4T(24) on one of our ISRs and have not been able to get Windows XP SP3, Vista or WIndows 7 clients using AnyConnect 2.5.3055 to connect when they have the KB2585542 installed.

Does Cisco monitor and respond to these Discussions? If so, a response of some kind would be appreciated!

Hi Michael,

The problem is with IOS and there is a defect filed against IOS for that:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx38806

The bug id is CSCtx38806

Any of the following workarounds will work:
1)Use the clientless portal to start the client- this only works in some
versions of IOS.
2)Uninstall the update
3) Use rc4 - is a less secure encryption option, if this meets your 
security needs, then you may use it as following:
webvpn gateway 
   ssl encryption rc4-md5 
4) use AC 2.5.3046 or 3.0.3054 for anyconnect

For anyconnect users, the user error message is : 
"Connection attempt has failed due to server communication errors. Please retry
the connection"

The anyconnect event log will show the following error message snippet: 

Function: ConnectIfc::connect
Invoked Function: ConnectIfc::handleRedirects
Description: CONNECTIFC_ERROR_HTTP_MAX_REDIRS_EXCEEDED

So this isn't an issue if you're running ASAs for VPN, right?

on ASA for the majority, there are no issues, but some isolate incidents have been seen.

This tracked using the defect:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx68075

Are you seeing any issues with ASA ?

Thank you Thomas, this has helped us to get our users connected using the AnyConnect Client (2.5.3046), however we now find that users cannot connect to the website on the router. Do you know where I can find out what version of the IOS we can run so that our users can connect to the  web site of the router?

We have confirmed that it is the KB2585542 update that is preventing our users from connecting to the web site by removing the update and trying to connect.

Hi Michael,

unfortunately on IOS, the defect is not resolved yet, so only the workarounds will work.

yleduc
Level 1
Level 1

I have tried the interim release of 8-4-3.9 for the ASA and while the symptoms are not the same, the end results is that I still cannot obtain the desired page.

Regards.

Yvon

Hi Yvon,

Does disabling the KB fix resolve the problem even with ASA 8.4.3.9 ?

without looking at the ssl stream with private key exported and the ASA debugs/logs, its hard to say its a new issues.

It would be best to open a TAC case so that this can be further analyzed and new bug opened if this is a new defect.

Tom