Microsoft patch KB3023607 breaks Cisco AnyConnect VPN Client

Expand / Collapse
Symptom:
AnyConnect users on Windows 8.1 will receive a ''Failed to initialize connection subsystem'' error after installing the Windows 8.1 02/10/15 security patch.

Conditions:
AnyConnect (All Versions)
Windows 8.1 (02/10/15 Security patch)

Workarounds:
Workaround #1:
Microsoft has released a "fixit" to correct the regression in the02/10/15 patch. This is accessible by following the instructions at:
https://support.microsoft.com/kb/3023607
Once the "fixit" is installed, Cisco recommends you reboot your PC or logoff / logon as you need to fully restart the AnyConnect service (not just the User Interface), and not all users will have access to do so.
Note: The "fixit" Microsoft has released is not a fix for the OS regression.

Microsoft is planning to release a Windows Update patch on 03/10/15 for this issue. Microsoft's dates are subject to change.

Workaround #2:
Close the Cisco AnyConnect Window and the taskbar mini-icon
Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder.
(C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\)
Click on the 'Run compatibility troubleshooter' button
Choose 'Try recommended settings'
The wizard suggests Windows 8 compatibility.
Click 'Test Program'. This will open the program.
Close

Or

Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder.
(C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\)
Click on the 'Run this program in compatibility mode for"
Choose 'Windows 7'
Click Apply and then OK.
Start AnyConnect and click on "Connect".

Some customers have reported that they needed to also set up compatibility mode for the vpnagent.exe executable.

Workaround #3:
Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click "View installed updates" on the left and locate and uninstall the updated labeled with KB3023607.

Further Problem Description:
The root cause is a specific OS bug introduced in Microsoft's 02/10/15 patch.See Workaround #1 for a "fixit" from Microsoft which will be available until the 03/10/15 Windows Update patch is distributed. Microsoft's dates are subject to change.

Customers who would like to open a case on the topic are encouraged to open one directly with Microsoft since they are responsible for the Windows Update patch. To speed up the Microsoft support triage process, customers are welcome to reference Cisco's existing Microsoft case ID: 115021112390273 and https://support.microsoft.com/kb/3023607(KB3023607).

The regression was introduced by Microsoft as part of:
3012982 - Update to enable Schannel crypto APIs to be called from a DPC-level driver in Windows 8.1 and Windows Server 2012 R2.
https://support.microsoft.com/kb/3012982


Rate this Article:


Details
Category: Windows

Last Modified:Wednesday, February 18, 2015 10:27 AM

Type: INFO

Level: Beginner

Rated 3 stars based on 2 votes.

Article has been viewed 8,254 times.

Options
Email Article Email Article


Social Bookmarks Social Bookmarks