///Cisco SSL-VPN problems after KB2585542

Cisco SSL-VPN problems after KB2585542

Want create site? Find Free WordPress Themes and plugins.

Today I noticed that some Windows 7 clients had problems to connect using Cisco’s AnyConnect VPN Client (SSL-VPN).
After a few hours troubleshooting we noticed that Windows Update KB2585542 was causing the problem.

The clients were not even able to see the website (on a Cisco Router) which hosts the Anyconnect client installer. When trying to connect using the Cisco AnyConnect client, it feeled like it timed-out.

A debug session on the Cisco 2921 router (which was the SSL-VPN endpoint in this case) showed the following:

enable
terminal monitor
debug webvpn


Jan 13 23:25:21.184: WV: validated_tp : cert_username : matched_ctx :
Jan 13 23:25:21.184: WV: [Q]Client side Chunk data written..
buffer=0x2A429708 total_len=1016 bytes=1016 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: Client side Chunk data written..
buffer=0x2A4293E8 total_len=127 bytes=127 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: sslvpn process rcvd context queue event
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A429548, data: 0xDDD9058, len: 1,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Fragmented App data – buffered
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A4293E8, data: 0xDDDC558, len: 447,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Appl. processing Failed : 2
Jan 13 23:25:28.072: WV: server side not ready to send.


Especially notice those last two lines (in red), which were very typical for this problem.

  • After uninstalling the Windows update KB2585542, clients were able to connect again.
  • The problem was not seen on Windows XP or Vista.
  • Client were using different Anyconnect 2.x versions, which version didn’t matter.
  • The IOS version of the device (15.1 and later tried 15.2) being the SSL-VPN endpoint didn’t matter.

Let’s hope Microsoft will address this issue ASAP

Did you find apk for android? You can find new Free Android Games and apps.
By | 2012-01-14T02:52:12+00:00 January 14th, 2012|Technical|2 Comments

2 Comments

  1. Roel Broersma 4 February 2012 at 12:23

    UPDATE: You can set the encryption to “rc4-md5” as a workarround.

    1) Login to your CIsco device
    2) Enable and go to config terminal mode.
    3) Type: webvpn gateway
    4) Type: ssl encryption rc4-md5

    It’s a bit less secure (but also faster) algorithm.

  2. Arden White 16 January 2012 at 17:35

    This is bug in the Cisco VPN that is being exposed by the fix that Microsoft made to plug a security vulnerability in the SSL and TLS protocols (HTTPS). The other SSL/TLS vendors such as Google, Mozilla, OpenSSL and Opera have either already made this change or are preparing to make the same change.

Leave A Comment

The store is not open yet, we're planning a launch date of 20 March 2017 ! Dismiss