Update 3/11/2015 11:31 CST:

Microsoft has included the fix for AnyConnect and Windows 8.1 in the 3/10/2015 Windows Update. See KB #3040335

Update 2/16/2015 16:11 CST:

Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

Microsoft is planning to include the fix with the Microsoft March Patch Tuesday release (subject to change)

I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN.

Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

Thanks to ‘I Think – Therefore “IBM I”‘ blog I was able to quickly resolve the issue. I’m assuming this had to do with a recent Windows Update. Here’s the final solution:

  1. Close the Cisco AnyConnect Window and the taskbar mini-icon
  2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  3. Click on the “Run compatibility troubleshooter” button
  4. Choose “Try recommended settings”.
  5. The wizard suggests Windows 8 compatibility.
  6. Click “Test Program”.  This will open the program.
  7. Close
  8. Some people may need to repeat the above steps for vpnagent.exe. That is the local service that supports the client user interface.

If you use group policies, Kim commented using the following for Windows 7 mode:

Make a GPO that added this key:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM
Update 2/11/2015 13:52 CST:

Cisco has notified me that they have escalated this issue to Microsoft for investigation.

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.

Update 2/12/2015 10:22 CST:

Cisco recommends that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco’s case #115021112390273 in order to expedite having your ticket properly triaged by their support team. source

Our normal web server consists of a OS and Program File drive (C:) and a data drive to hold website files (E:). This provides an extra layer of security, speed and helpful structure. Sometimes we will also add another data drive (F:) for clients with really large storage needs. For example all user uploaded photos goes onto a 2TB drive array.

So let’s say you have user upload photos dedicated to one drive. You may want to just place the data onto the root of the drive. Simple right?

Well here’s what you may run into: When migrating/copying that drive to a new drive/machine using Robocopy you’ll find a few issues: (robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /e /copy:DT /MT:8)

  1. If you’re putting the data into a subfolder this time, that root subfolder will become a system-hidden folder. The reason is you are copying the root of a drive. Pretty annoying.
    1. You can fix this by running this after the copy starts: “attrib -H -S F:\Data”
  2. It will try copy “System Volume Information” and “Recycle Bin”. But you’ll find out that your process will just get stuck because it doesn’t have permissions to do so.
    1. You can fix this by not copying any system or hidden files/folders:
      “robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /e /copy:DT /MT:8 /xd $Recycle.bin “System Volume Information”” FYI: I tried using “/xa:HS” instead of the /xd, but that didn’t work as expected.
    2. If you’ve already gone 8 hours into your copy operation just to find this out, speed things up by syncing things instead using: “robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /mir /copy:DT /MT:8 /xd $Recycle.bin “System Volume Information” /xo /fft”

So my point is, don’t put your data folder/file structure in the drive root. It’ll get mixed up with hidden-system files and folders and one day throw you for a loop. Instead put that all in a subfolder such as “F:\data”. Another example might be “E:\websites”.

Side-note: There are other copy methods to avoid this situation, however Robocopy is going to be one of your fastest options.

Update 1/20/2015: Fix is available in the refreshed Full installers. More information on this is available here at:

After some wicked process of elimination at CF Webtools I found out that I was unable to start/restart ColdFusion 11 after enabling J2EE Session Variables in the ColdFusion Administrator.

I went through almost all types of installs thinking it was an issue with the Amazon EC2 server it was on. Thinking this because we have CF11 servers running with J2EE enabled already.

The difference, and the the issue it turns out, is the updated installer that includes update 3 for Windows x64. The original installer doesn’t seem to have this issue.

The underlying issue is whether or not Tomcat persistent sessions were turned on or off. This apparently keeps a session alive during a restart. ColdFusion apparently doesn’t like this if it’s on.

To turn off Tomcat persistent sessions (this seems a little backwards though):

  1. Open {cf instance}/runtime/conf/context.xml
  2. Uncomment <Manager pathname=”” />
  3. Save file and close
  4. Start ColdFusion

This seems to have been an issue on ColdFusion 10 that somehow made its way back to 11.

Thanks to Derrick Anderson with BigTeams for finding this old issue at we3geeks.

I have opened bug ticket 3923565 with Adobe.

When tuning the IIS connector for Tomcat in ColdFusion 11, one of the resources said to look at is your “metrics.log” file.

This log is enabled in the ColdFusion Administrator and you can set the number of seconds for each entry.

What you want to see is something like this:

Max threads: 3000 Current thread count: 10 Current thread busy: 5 Max processing time: 420478 Request count: 1882 Error count: 0 Bytes received: 322099 Bytes sent: 55099992 Free memory: 18155664480 Total memory: 21045379072 Active Sessions: 1057

But what if you get this?

Max threads: null Current thread count: null Current thread busy: null Max processing time: null Request count: null Error count: null Bytes received: null Bytes sent: null Free memory: 19788897312 Total memory: 21045379072 Active Sessions: 142

A user notes this as a bug at https://bugbase.adobe.com/index.cfm?event=bug&id=3324126

“Asha K S” notes a fix and closed the bug as “Withdrawn – User Error”:

If you are using an external webserver like IIS or Apache – to enable metrics logging, you need to change the value of the “Connector Port” to AJP port. To know your AJP port, go to server.xml located at ColdFusion10\cfusion\runtime\conf and look for Connector element where protocol is “AJP/1.3” in the Debugging & Logging > Debug Output Settings page of ColdFusion Administrator

I worked this out with Wil Genovese to determine what this meant.

What we want to look for is the connector port for the “AJP/1.3” protocol in the file: {coldfusion install dir}/{instance dir}/runtime/conf/server.xml. For example “C:\ColdFusion11\cfusion\runtime\conf”.

The entry will look like this:

<Connector port="8012" protocol="AJP/1.3" redirectPort="8445" tomcatAuthentication="false" maxThreads="3000" connectionTimeout ="60000"/>

We want to take the connector port (8012 in this example) and put the value into the “Connector Port” input located under ColdFusion Administrator > Debugging & Logging > Debug Output Settings.


Note: You will see about the same issue when running CFSTAT. Most of the values will be at 0 until you update this connector port.

This is my first attempt at IIS connector tuning for ColdFusion 11 (and 10). Most of my career has been spent developing ColdFusion code and is now focusing more on server related activities. Plus CF 10 and 11 were slow to be implemented by our customers.

It seems that most information out there for connector tuning is based around one sole blog post: http://blogs.coldfusion.com/post.cfm/coldfusion-11-iis-connector-tuning (and CF 10’s version).

My post focuses on a three instance approach, using ColdFusion 11 Enterprise, with individual site connectors (as opposed to “all IIS sites”).

The basic concept as I understand it is to set the connection_pool_size to 500 and monitor the site. Add up this number in each site, using the same instance, and use that value for maxThreads for the AJP connector setting. Then gradually increase that value by 100 under load testing conditions until stable. Then give that number some wiggle room for future growth. After that number is set, then set the max_reuse_connections and connection_pool_timeout.

So lets say, as an example, that I use the “All IIS Sites” option for my connector instead of individual connectors. If I use the recommended connection_pool_size of 500 for each site, I’d use 3000. Then based upon the equation of connection_pool_size / # of sites, I’d set “max_reuse_connections = 500”. Example:


&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;

Now, when I looked up the workers.properties specs for Tomcat I found that max_reuse_connections is not a standard property. I’m assuming this is one of the customizations made by Adobe. Based upon how the value of this property is a division of the number of sites, that this property is per site. Therefore in conclusion, I have up to 500 connections to reuse for each site in my total pool of 3000.

Now, lets say we’re using individual connectors. Each of the six workers.properties would look like this based upon Adobe’s blog:


&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;

So, as per Adobe’s blog, connection_pool_size / # of sites rounds down to 83, instead of 500. 6 sites X 500 connection_pool_size = 3000, which is reflected in the instance’s server.xml file.

In the end, the instance still allows for 3,000 connections; 500 coming from each site.

Question: Why am I using the same calculation for max_reuse_connections when combining all sites or connecting them individually? Shouldn’t I be able to use up to the value of each connection_pool_size for each connector? If max_reuse_connections is for each site, shouldn’t that number be the same no matter individual or “All IIS” connector types?

For example:


&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;

Today’s challenge at CF Webtools for myself was to find and replace any “_” (underscore) characters in a URL .htm file name and replace it with “-” (dash). The list I was given had file names with up to 7 underscores in any position. Example: my_file_name.htm

While I figured this would be a straight-forward task with IIS URL Rewrite, I was wrong.

End the end I found that I either had to create one rule for each possible underscore count or write a custom rewrite rule. I went the one rule per count route. I read in one blog you can only use up to 9 variables ({R:x}).

The other part of the rule was they had to be only in the “/articles/” directory.

My first challenge was just to get the right regular expression in place. What I found out was that the IIS (7.5) UI’s “Test Pattern” utility doesn’t accurately test. In the test this worked:

Input: http://www.test.com/articles/my_test.htm
Pattern: ^.*\/articles\/(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test"

However, this does not match in real-world testing. #1, don’t escape “/” (forward-slash) (really??). #2 the pattern is only matched against everything after the domain and first slash (http://www.test.com/).

So really, only this works:

Input: http://www.test.com/articles/my_test.htm
Pattern: ^articles/(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test"

In order to match against up to 8 underscores, you need 8 rules, each one looking for more underscores. So the next one would be:

Input: http://www.test.com/articles/my_test_file.htm
Pattern: ^articles/(.*)_(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test", {R:3} : "file"

To do this efficiently you just edit the web.config in the web root for that site. The end result ended up being:

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="AUSx1" stopProcessing="true">
                    <match url="^articles/(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}.htm" />
                <rule name="AUSx2" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}.htm" />
                <rule name="AUSx3" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}.htm" />
                <rule name="AUSx4" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}.htm" />
                <rule name="AUSx5" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}.htm" />
                <rule name="AUSx6" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}.htm" />
                <rule name="AUSx7" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}-{R:8}.htm" />
                <rule name="AUSx8" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}-{R:8}-{R:9}.htm" />

In the end this URL:




After a Windows Update the lovely “Blue Screen of Death” appeared on one of our servers. Frantic to find a solution, “Boot to the last known working configuration” wasn’t working. A system restore was a last resort option.

Here’s what the error consisted of:

STOP: c0000218 {Registry File Failure}
The registry cannot load the hive (file):
or its log or alternate.
It is corrupt, absent, or not writable.

To resolve the issue I:

  1. Boot to the Windows 2008 Server Install DVD
  2. Click “Repair Computer” on the second screen
  3. Open a command prompt on the second or third prompt
  4. Change directory to C:\Windows\System32\Config\
  5. Rename “SOFTWARE” to “SOFTWARE.BAK”
  6. Copy “RegBack\SOFTWARE” to that directory
  7. Reboot

This restored the SOFTWARE registry to its previous state before the Windows Update. I then had a pending list of Windows Updates to install again. But I’ll leave that for another day for now to see if anyone else is having issues.