54341_Microsoft patch KB3023607 breaks Cisco AnyConnect VPN...

Expand / Collapse
AnyConnect users on Windows 8.1 will receive a ''Failed to initialize connection subsystem'' error after installing the Windows 8.1 02/10/15 security patch.

AnyConnect (All Versions)
Windows 8.1 (02/10/15 Security patch)

Workaround #1:
Microsoft has released a "fixit" to correct the regression in the02/10/15 patch. This is accessible by following the instructions at:
Once the "fixit" is installed, Cisco recommends you reboot your PC or logoff / logon as you need to fully restart the AnyConnect service (not just the User Interface), and not all users will have access to do so.
Note: The "fixit" Microsoft has released is not a fix for the OS regression.

Microsoft is planning to release a Windows Update patch on 03/10/15 for this issue. Microsoft's dates are subject to change.

Workaround #2:
Close the Cisco AnyConnect Window and the taskbar mini-icon
Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder.
(C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\)
Click on the 'Run compatibility troubleshooter' button
Choose 'Try recommended settings'
The wizard suggests Windows 8 compatibility.
Click 'Test Program'. This will open the program.


Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder.
(C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\)
Click on the 'Run this program in compatibility mode for"
Choose 'Windows 7'
Click Apply and then OK.
Start AnyConnect and click on "Connect".

Some customers have reported that they needed to also set up compatibility mode for the vpnagent.exe executable.

Workaround #3:
Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click "View installed updates" on the left and locate and uninstall the updated labeled with KB3023607.

Further Problem Description:
The root cause is a specific OS bug introduced in Microsoft's 02/10/15 patch.See Workaround #1 for a "fixit" from Microsoft which will be available until the 03/10/15 Windows Update patch is distributed. Microsoft's dates are subject to change.

Customers who would like to open a case on the topic are encouraged to open one directly with Microsoft since they are responsible for the Windows Update patch. To speed up the Microsoft support triage process, customers are welcome to reference Cisco's existing Microsoft case ID: 115021112390273 and https://support.microsoft.com/kb/3023607(KB3023607).

The regression was introduced by Microsoft as part of:
3012982 - Update to enable Schannel crypto APIs to be called from a DPC-level driver in Windows 8.1 and Windows Server 2012 R2.

Rate this Article:

Category: Windows

Last Modified:Wednesday, February 18, 2015 10:27 AM

Type: INFO

Level: Beginner

Rated 3 stars based on 2 votes.

Article has been viewed 12,807 times.

Email Article Email Article

Social Bookmarks Social Bookmarks