The latest round of Windows Updates are making plenty of noise already. One update, KB3001652, barely made it out the door before it was recalled after hanging computers (apparently waiting for a prompt to be clicked). Other updates (MS15-011 & MS15-014) this month address security issues with Group Policy. KB3023607 addresses the lingering POODLE vulnerability and changes SSL 3.0 fallback behavior for Windows applications. It is this change that is causing issues with Cisco’s current version of the AnyConnect VPN application on Windows 8.1.
Upon launching Cisco AnyConnect (version 3 or version 4), you will receive an error message stating: ‘Failed to initialize connection subsystem.’
Ideally, Cisco will release a new version of the VPN client to address this problem. The workaround in the meantime is to run AnyConnect in Windows 8 Compatibility Mode. The file that the AnyConnect shortcut points to is vpnui.exe. It is located in C:Program FilesCiscoCisco AnyConnect Secure Mobility Client or C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Client.
Right-click on vpnui.exe and choose Properties. Under the Compatibility tab of the file’s properties, check the box for ‘Run this program in compatibility mode for:’ and choose Windows 8 from the related drop-down. Hit OK to close the Properties window.
You can now relaunch Cisco AnyConnect Secure Mobility Client and it should allow you to connect to your VPN.
Update: Cisco reached out following this article and stated that the fix would have to come from Microsoft. “They are aware of the regression they introduced and are working on it.”
See this announcement on the Cisco Support forums.
They also posted to their Facebook Page:
Microsoft’s Patch update for Tue 02/10/15 has introduced an OS regression which impacts Windows 8.1 users using AnyConnect. This issue will also impact Windows 7 users with IE11 installed. (Windows Server 2008/2012 are also impacted, but neither is an officially supported OS platform for AnyConnect)
We have root caused the issue and escalated to Microsoft.
We are tracking this issue under Cisco Bug ID: CSCus89729
https://tools.cisco.com/bugsearch/bug/CSCus89729A temporary workaround is “Windows 8 Compatibility Mode” or to uninstall KB3023607.
Customers affected are recommended to open cases directly with Microsoft. You are free to reference Cisco’s case with them which is: 115021112390273
The regression was introduced by Microsoft as part of:
3023607 Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior
https://support.microsoft.com/kb/3023607
which was included with
Microsoft Security Bulletin MS15-009 – Critical
Security Update for Internet Explorer (3034682)
The specific function that is broken as a result of the patch is the SChannel API “SSLEmptyCache()”
Update 2: Microsoft now has a FixIt solution that you can download and run to address the issue with AnyConnect since the latest updates.