Today I noticed that some Windows 7 clients had problems to connect using Cisco’s AnyConnect VPN Client (SSL-VPN).
After a few hours troubleshooting we noticed that Windows Update KB2585542 was causing the problem.

The clients were not even able to see the website (on a Cisco Router) which hosts the Anyconnect client installer. When trying to connect using the Cisco AnyConnect client, it feeled like it timed-out.

A debug session on the Cisco 2921 router (which was the SSL-VPN endpoint in this case) showed the following:

enable
terminal monitor
debug webvpn

Jan 13 23:25:21.184: WV: validated_tp : cert_username : matched_ctx :
Jan 13 23:25:21.184: WV: [Q]Client side Chunk data written..
buffer=0x2A429708 total_len=1016 bytes=1016 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: Client side Chunk data written..
buffer=0x2A4293E8 total_len=127 bytes=127 tcb=0x325E5BEC
Jan 13 23:25:21.184: WV: sslvpn process rcvd context queue event
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A429548, data: 0xDDD9058, len: 1,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Fragmented App data – buffered
Jan 13 23:25:28.072: WV: Entering APPL with Context: 0x3163BC58,
Data buffer(buffer: 0x2A4293E8, data: 0xDDDC558, len: 447,
offset: 0, domain: 0)
Jan 13 23:25:28.072: WV: Appl. processing Failed : 2
Jan 13 23:25:28.072: WV: server side not ready to send.

Especially notice those last two lines (in red), which were very typical for this problem.

  • After uninstalling the Windows update KB2585542, clients were able to connect again.
  • The problem was not seen on Windows XP or Vista.
  • Client were using different Anyconnect 2.x versions, which version didn’t matter.
  • The IOS version of the device (15.1 and later tried 15.2) being the SSL-VPN endpoint didn’t matter.

Let’s hope Microsoft will address this issue ASAP