Cisco AnyConnect “Failed to initialize connection subsystem”

Update 3/11/2015 11:31 CST:

Microsoft has included the fix for AnyConnect and Windows 8.1 in the 3/10/2015 Windows Update. See KB #3040335

Update 2/16/2015 16:11 CST:

Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

Microsoft is planning to include the fix with the Microsoft March Patch Tuesday release (subject to change)


I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN.

Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

Thanks to ‘I Think – Therefore “IBM I”‘ blog I was able to quickly resolve the issue. I’m assuming this had to do with a recent Windows Update. Here’s the final solution:

  1. Close the Cisco AnyConnect Window and the taskbar mini-icon
  2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  3. Click on the “Run compatibility troubleshooter” button
  4. Choose “Try recommended settings”.
  5. The wizard suggests Windows 8 compatibility.
  6. Click “Test Program”.  This will open the program.
  7. Close
  8. Some people may need to repeat the above steps for vpnagent.exe. That is the local service that supports the client user interface.

If you use group policies, Kim commented using the following for Windows 7 mode:

Make a GPO that added this key:

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM
Update 2/11/2015 13:52 CST:

Cisco has notified me that they have escalated this issue to Microsoft for investigation.

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.

Update 2/12/2015 10:22 CST:

Cisco recommends that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco’s case #115021112390273 in order to expedite having your ticket properly triaged by their support team. source

Advertisements