Microsoft's SSL 3.0 Poodle-busting patch KB 3023607 breaks popular Cisco VPN client

Cisco verifies that installing KB 3023607 may lead to 'Failed to initialize connection subsystem' errors with AnyConnect VPN

As software manufacturers move to kill off SSL 3.0, to thwart the Poodle man-in-the-middle attacks, Microsoft has hit a stumbling block. This month's KB 3023607, designed to change the way Transport Layer Security (TLS) in Internet Explorer works, has triggered "Failed to initialize connection subsystem" errors when trying to start Cisco AnyConnect VPN sessions.

Cisco identified the problem yesterday:

KB 3023607 makes some AnyConnect clients give the "Failed to initialize connection subsystem" error. This issue was introduced by KB 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior. Included with Microsoft Security Bulletin MS15-009 -- Critical Security Update for Internet Explorer (3034682). This issue should also affect Windows 7 user with IE11, but no reports of failure have been seen yet."

Cisco AnyConnect is one of the most popular (quite possibly the most popular) corporate VPN clients, supporting Windows, OS X, iOS, Android, and Linux.

ColdFusion guru Chris Tierney posted a workaround on his blog:

I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN. Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

Thanks to 'I Think -- Therefore "IBM I"' blog I was able to quickly resolve the issue. I'm assuming this had to do with a recent Windows Update. Here's the final solution:

  1. Close the Cisco AnyConnect Window and the taskbar icon
  2. Right-click vpnui.exe in the Cisco AnyConnect Secure Mobility Client folder. (I have it in C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\.)
  3. Click the Run Compatibility Troubleshooter button
  4. Choose Try Recommended Settings.
  5. The wizard suggests Windows 8 compatibility.
  6. Click Test Program.  This will open the program.
  7. Close

Some people may need to repeat the above steps for vpnagent.exe. That is the local service that supports the client user interface.

Cisco pursued the solution late last night:

Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case #, which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.

There are two potential workarounds until Microsoft provides a fix

  1. Windows 8 compatibility mode for the app
  2. Customers can uninstall the KB 3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under Control Panel/Programs/Programs and Features, click View Installed Updates on the left and locate and uninstall the update labeled with KB 3023607. This update is not visible when you try to locate it through the Windows Update application's history, but it is accessible via Control Panel.

As of early this morning, there is no notification on the Microsoft KB article of any problems. 

Copyright © 2015 IDG Communications, Inc.