Cisco SSL-VPN problems after KB2585542
January 14, 2012
Posted by Roel in : Technical , trackback
Today I noticed that some Windows 7 clients had problems to connect using Cisco’s AnyConnect VPN Client (SSL-VPN).
After a few hours troubleshooting we noticed that Windows Update KB2585542 was causing the problem.
The clients were not even able to see the website (on a Cisco Router) which hosts the Anyconnect client installer. When trying to connect using the Cisco AnyConnect client, it feeled like it timed-out.
A debug session on the Cisco 2921 router (which was the SSL-VPN endpoint in this case) showed the following:
enable
terminal monitor
debug webvpn
Jan 13 23:25:21.184: WV: validated_tp : cert_username : matched_ctx :
Jan 13 23:25:21.184: WV: [Q]Client side Chunk data written..
buffer=0x2A429708 total_len=1016 bytes=1016 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: Client side Chunk data written..
buffer=0x2A4293E8 total_len=127 bytes=127 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: sslvpn process rcvd context queue event
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A429548, data: 0xDDD9058, len: 1,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Fragmented App data – buffered
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A4293E8, data: 0xDDDC558, len: 447,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Appl. processing Failed : 2
Jan 13 23:25:28.072: WV: server side not ready to send.
Especially notice those last two lines (in red), which were very typical for this problem.
- After uninstalling the Windows update KB2585542, clients were able to connect again.
- The problem was not seen on Windows XP or Vista.
- Client were using different Anyconnect 2.x versions, which version didn’t matter.
- The IOS version of the device (15.1 and later tried 15.2) being the SSL-VPN endpoint didn’t matter.
Let’s hope Microsoft will address this issue ASAP
Comments»
This is bug in the Cisco VPN that is being exposed by the fix that Microsoft made to plug a security vulnerability in the SSL and TLS protocols (HTTPS). The other SSL/TLS vendors such as Google, Mozilla, OpenSSL and Opera have either already made this change or are preparing to make the same change.
UPDATE: You can set the encryption to “rc4-md5″ as a workarround.
1) Login to your CIsco device
2) Enable and go to config terminal mode.
3) Type: webvpn gateway
4) Type: ssl encryption rc4-md5
It’s a bit less secure (but also faster) algorithm.