Cisco AnyConnect “Failed to initialize connection subsystem”

Posted: February 11, 2015 in Uncategorized
Update 3/11/2015 11:31 CST:

Microsoft has included the fix for AnyConnect and Windows 8.1 in the 3/10/2015 Windows Update. See KB #3040335

Update 2/16/2015 16:11 CST:

Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

Microsoft is planning to include the fix with the Microsoft March Patch Tuesday release (subject to change)


I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN.

Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

Thanks to ‘I Think – Therefore “IBM I”‘ blog I was able to quickly resolve the issue. I’m assuming this had to do with a recent Windows Update. Here’s the final solution:

  1. Close the Cisco AnyConnect Window and the taskbar mini-icon
  2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  3. Click on the “Run compatibility troubleshooter” button
  4. Choose “Try recommended settings”.
  5. The wizard suggests Windows 8 compatibility.
  6. Click “Test Program”.  This will open the program.
  7. Close
  8. Some people may need to repeat the above steps for vpnagent.exe. That is the local service that supports the client user interface.

If you use group policies, Kim commented using the following for Windows 7 mode:

Make a GPO that added this key:

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM
Update 2/11/2015 13:52 CST:

Cisco has notified me that they have escalated this issue to Microsoft for investigation.

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.

Update 2/12/2015 10:22 CST:

Cisco recommends that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco’s case #115021112390273 in order to expedite having your ticket properly triaged by their support team. source

Advertisements
Comments
  1. Levan says:

    Thanks a lot. Run into this issue after yesterday’s Windows 8.1 updates. Your solution worked flawlessly!

    NOTE to others (just in case):
    on step 3 click on the “Run compatibility troubleshooter” button…

  2. tyy says:

    Yes, this was due to latest WIndows 8.1 update. I just verified with an other computer that this was the case.

    Thanks for the solution!

  3. James says:

    Thank you SO much! Was freaking out about this as I tried to log in the company’s VPN this morning after a big Windows update. You saved me a lot of wasted time. Much appreciated! -James

  4. evan nguyen says:

    Chris T. – thanks for this information. it worked for me with Windows 8.1.

  5. KCS says:

    You are a genius! Thank you so much for being so smart and sharing this information.

  6. veraperezp says:

    This issue just hit me right after I did the 8.1 updates, thank you so much!

  7. Trevor says:

    Chris – do you know which KB is the problem one?

  8. George N says:

    I have over 200 users this will potentially affect. Does anyone know of a way to push this fix to a group? I didn’t see anything via Group Policy.

  9. Burley says:

    Hi Chris, Thanks for the post. The only way I was able to get my system to work (Windows 8.1 Pro) (cisco anyconnect 3.1.05170) was to uninstall update 3023607. That worked thankfully.

  10. Shannon says:

    Didn’t work for me! Help!!

  11. MRK says:

    Tried this fix multiple times but it didn’t work. Any other ideas?

  12. MRK says:

    I’m in a Chat with tech support for site I’m trying to connect to and the gentleman is telling me I need to run REGEDIT. I don’t know what this is. Is that a good idea?

  13. Chris, thanks for the info. Unfortunately your fix didn’t work for me, however your note about the 3023607 update did help, I uninstalled that and turned off automatic updates and the problem is solved, at least temporarily. Thanks much!

  14. guilintracy says:

    Thanks! I met this problem since I updated the win 8 last night (Feb 11). Your post is just in time!

  15. Mads says:

    Uninstalled KB3023607 and now it’s working again – Thanks alot!

    • Lihlu_mile says:

      Hi, after uninstalling all the updates from from the 11th it worked. Not sure which one but hey, at least that works..

      • Chris says:

        Glad it got working for you. You can not the KB# in the article which corresponds to the Windows Update. The vast majority of Windows Updates are a good thing to install.

  16. Kim says:

    Did any of you find a central solution?
    The Windows7 compatibility mode works, but how do we change this on hundreds of users computers?
    I tried to uninstall the update KB3023607
    Also tried to add the reg-key current_user\software\microsoft\windows\currentversion\Internet Settings…. GlobalUserOffline=1
    None of these 2 works…… Nice if any of you found a regkey, that was possibly to add/change in GPO…

    • Chris says:

      Kim – did you restart after adding the reg key?

      • Kim says:

        I found a quick solution. I made a GPO that added this key:
        Create:
        HKEY_LOCAL_MACHINE
        SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
        Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
        Valuedata : ~ WIN7RTM

        Now the cisco client runs in Win7-mode. It works.

  17. Parameswari says:

    issue is not fixed. when i cick “test program” its opening Cisco AnyConnect Secure Mobility Client.clickng on connect same issue occuring “Failed to Initialize connection subsystem”.can you please suggest me.

  18. Jiri says:

    Unfortunately in my 3.0.07059 there is no Windows 8.0 compatibility at all…

    • Abhijeet says:

      Right click on the vpnui.exe and select Properties->Compatibility. Select “Run this program for compatibility mode for: Windows 8”. Also, do the same for vpnagent.exe.

  19. Liam says:

    Thanks Chris. I’ve been removing KB3023607 on 8.1 machines once I identified it as the culprit. All our W7 32-bit machines are fine so far, regardless of IE9, 10 or 11.
    Any feedback yet from Cisco/Microsoft? I like to have everyone patched, but may also have to plan for tweaking AnyConnect on lots of 8.1 machines.

  20. Kimberly Palocsay says:

    Thank you. The tech support at Job #1 used the solution of uninstalling windows updates and then hiding the updates. Seems like a bandaid to me. Job #2 as Tech support agent requires windows auto update to be on, so the bandaid fell off. Your solution solved the problem and eiliminated the need for bandaids!

  21. Adam says:

    Same issue here after Win 8.1 update 10 Feb, resolved as above. Thanks a lot for posting the resolution, Chris.

  22. Robbert says:

    Thanks Chris.
    Great help for me and me colleague.
    Also in the Netherlands…

  23. Still having this problem even after testing the program. Any other way around it?

    • Kimberly Palocsay says:

      Make sure you have closed the program completely. Even right click the icon in the notification area and exit. We are finding that many skip that step, causingthe fix not to work.

      • Frogeye says:

        I used the trouble shooter to set both vpnui.exe and vpagent to recommened settings for windows 8, but it wasn’t working. After I right-clicked on the icon in the notification area and quit the program it started working again. Thanks Chris & Kimberly!

  24. veraperezp says:

    Chris, at least for my 8.1 the compatibility check was enough, I had no need to either block the kb patch or make a registry edit. About 18 straight hours running smoothly plus we’ll know what to do as the rest of our laptops pick up the update, thanks again for this.

    • Christian says:

      Additionally I had to stop the service called”Cisco AnyConnect Secure Mobility Agent” in step 1 and start again before testing in step 6. Only that way it worked for me.

  25. Jaja says:

    thank you work fine for me. Be sure to have “Quit” the program before applying the setting proposed by the Trouble shooter wizard.

  26. jiff says:

    it worked!!! thanks a lot, before searching, i tried to reinstall, system restore, but nothing worked.

  27. Codepenguin says:

    The fastest solution for me was to right click vpnui.exe, click the Compatibilty Tab and Run in Compatiblity for Windows 7.

    I can also confirm that it broke after applying Windows 8.1 updates this morning.

  28. afiat says:

    I changed vpnui into window 7 compatibility, and it works. First of all, close from vpn anyconnect, then go to vpnui in windows explorer, just right click on vpnui –> click properties –> click “compatibility” –> change run compatibility from windows 8 to windows 7 –> apply–> OK

  29. Jeff B says:

    Before this, I attempted to Repair and Reinstall using the Cisco installer and neither worked, FYI. The Compatibility check got it done for me on Win 8.1 PRO, with Cisco Anyconnect 3.0.07059

    • Darius says:

      Windows 8.1 x64 Enterprise and AnyConnect 4.0

      We ended up using a cmd file to merge reg key (contents of both below).

      @ECHO OFF

      REM This will Stop VPNAGENT
      net stop “Cisco AnyConnect Secure Mobility Agent”

      REM Insert Registry Keys
      regedit.exe /s “.\WIN8FixVPN_21215.reg”

      REM This will start VPNAGENT again
      net start “Cisco AnyConnect Secure Mobility Agent”

      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
      “C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnui.exe”=”~ WIN7RTM”
      “C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe”=”~ WIN7RTM”

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
      “C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnui.exe”=”~ WIN7RTM”
      “C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe”=”~ WIN7RTM”

      Thank you all

      Darius

  30. SlyckVic says:

    This should work in a .reg file:
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

    “C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnui.exe”=”~ WIN8RTM”

  31. Govind says:

    Uninstall that update KB3023607 will also solve the problem

  32. jttrs says:

    I rarely comment on the internet, but your post just saved me a lot of trouble. Thanks!

  33. Catherine says:

    The only thing that worked for me was uninstalling the update KB3023607.

  34. S says:

    Uninstalling the Windows update worked! Thanks internet for saving me!

  35. stevenhb13 says:

    So I uninstalled the update, changed compatibility mode to Windows 8 (and tried 7 using the reg keys suggested by Darius), added the GlobalUserOffline as a string with value 1, and rebooted (a few times) with no luck. Any other suggestions?

    I’m running Windows 8.1 Pro and Cisco AnyConnect Secure Mobility Client 3.1.04072

  36. MW says:

    I have windows 8.1 running with the KB3023607 update installed and have AnyConnect 4.0.00061 running without compatibility mode. I did not find the reason why that patch would break AnyConnect and enabling Windows 8 Compatibility Mode would fix that.
    What I saw was that in the background access to the rasphone was blocked by McAfee Access Protection:
    Blocked by Access Protection rule C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe C:\Users\***\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk Anti-virus Maximum Protection:Protect phonebook files from password and email address stealers Action blocked : Read

    I disabled the on demand dialing via netsh:

    First look at the current default settings:

    C:\Windows\system32>netsh ras show type

    Routing and Remote Access Server Properties
    ——————————————–
    IPv4 Router : LAN and demand-dial routing
    IPv6 Router : Not Enabled
    IPv4 Remote Access Server : Enabled
    IPv6 Remote Access Server : Not Enabled

    To disable demand-dial routing:
    netsh ras set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none

    That fixed the rasphone “dialing” and McAfee wouldn’t complain anymore.

    But I still had a few occassions where the AnyConnect wouldn’t start, disabling autotuning seemed to fix that for me:

    netsh interface tcp set global autotuninglevel=disabled
    netsh interface tcp set global rss=disabled
    netsh int tcp set global chimney=disabled

    No issues after running those netsh commands, only when waking up the computer from sleep and trying to connect too fast will give the same error. Wait a couple of seconds and the connection succeeds.

    What exactly is compatibility mode doing to fix this issue?

  37. well done. thank you for this. I did have to do the same on the vpnagent file as well… worked

  38. Jessica says:

    I tried your solution but didn’t work for me. Then I installed the following two optional updates, fixed the issue.

    Update for Windows 8.1 for x64-based Systems (KB3013816)
    Update for Windows 8.1 for x64-based Systems (KB3013769)

  39. Vinny says:

    You can also work around this on the firewall side as not to inconvenience users. I’ve only had issues where SSLv3 was still enabled. I normally disable this on all my firewalls as it’s no longer secure. Configure your ASA to use TLS only:

    ssl server-version tlsv1-only

    Additionally, although I don’t think it’s required to fix this, I order the TLS ciphers as follows:

    ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

    Hope this helps others.

  40. sy says:

    very helpful. Thank you. I had to do the troubleshoot with vpnui.exe and vpnagent.exe

  41. glonner22 says:

    This worked for me, thanks! I have an HP EliteBook Folio 9470m with Windows 8.1. Had to do the steps for both vpnui.exe and vpnagent.exe too.

  42. glonner22 says:

    Worked for me, thanks! I have Windows 8.1 and I had to do both steps for vpnui.exe and vpnagent.exe

  43. Gebru says:

    I cannot find ”Run compatibility troubleshooter” after I right click vpnui.exe. Can you help me please to fix the problem. I am using windows 8.1.

  44. Maddy says:

    if you don’t quit the cisco anytime connect from system tray before making the change it won’t work. Quit the program and make the change.

  45. mastermindss says:

    Thanks. It worked with vpnui, though the compatibility mode suggested was Windows 7.

  46. Chris says:

    I have included an update in my blog article for a fix from Microsoft.

  47. I used PureVPN connection and its work fine for me. Here is their services guide: http://www.purevpn.com/vpn-service/vpn-connection.php

  48. Gerry says:

    Hi Chris
    Thanks a lot, it worked for me (on win8.1 & Server2012R2). 🙂

  49. CM says:

    Thank you! It worked however had to go through different tabs to find vpnui but eventually got there and proceeded to troubleshoot/fix the problem. I will stress that each time someone proceeds with “next”, you have to “Close the Cisco AnyConnect Window and the taskbar mini-icon” in order to “test”.

  50. Mohit says:

    Thanks, Worked for me on Window 8.1

  51. The fix-it patch doesn’t work but the compatibility troubleshoot seems to have fixed the problem.

  52. Ken T. says:

    Thanks for the fix. It worked for me on Windows 8.1 PRO and Cisco AnyConnect Secure Mobility Client Version 3.1.05182

  53. Joanne Pamer says:

    Thank you so much! I downloaded the Fix It patch and it worked for me on Windows 8.1.

  54. Jessica Hudson says:

    This thread saved my life! I have been trying to access my colleges online library all week through my VPN to no avail. Hopefully I can finish my paper on time! Thank you so much.

  55. Luiz Carlos Wormsbecker says:

    I had this problem with Windows 8. After executing steps 1 thru 5, step 6 did not work. I think it was because the software was not stoped correcttly before execution of the steps…

    I decided to RESTART my computer, and Cisco AnyConnect began to work again…

    Best Regars

  56. Sharon says:

    I still cannot get mine to work, I can get into the folder, but there isn’t a “Run compatibility troubleshooter” button 😦

  57. Natalija says:

    Thank you so much for this fix. I’ve been trying to fix this for a whole week, ever since I made the update that was ‘important’ and ‘recommended’. I went as far as restoring my PC to a previous point in time. It work for a couple of days until I got to the same update again. And PC crashed again of course. Oddly enough it still works fine on desktop PC which has win7.

  58. dave says:

    I let the compatibility wizard set it to Win 8.0 and it works a treat thanks!

  59. MH says:

    Thank you; the microsoft patch worked on Windows 8.1. Note that the vpnui.exe didn’t contain the“Run compatibility troubleshooter” button you suggested using…I’m not sure if that’s just because my sys admin disabled that button or some other reason. Could you please provide a screenshot showing where that button should be located??

  60. Diana says:

    Thanks, your solution worked for me. Had to run Compatibility troubleshooter and set it to run as Windows 8 on my Windows 8.1 laptop.

  61. Eddie says:

    The fix with the heading: “Update 2/16/2015 16:11 CST:” Worked like a charm for me on a Windows 8 tablet–it did require a reboot. I had tried other fixes I had found, but only this one worked–that is the KB# 3023607. Thanks so much for posting this fix! It was a life saver for me.

  62. Michael says:

    thank you! worked, i do have to repeat it though .. could it be country related? (i moved for few months, did not occure before i moved)

  63. Jason says:

    Thank you so much! The Microsoft Fix-It patch did the trick.

  64. LCC says:

    1-7 worked for me. Thanks.

  65. Amanda Giles says:

    The Microsoft fix also worked for me. Thanks for the quick working solution. I’m very grateful.

  66. pureabsolute says:

    Thank you — the first link I clicked on, and it was a beautiful thing. One thing to keep in mind — for me, after trying and failing with the above error, the program still seemed to be running in the background — so it didn’t seem to work for me at first. But after I killed the process using task manager and ran it again, there was no problem. Again — THANK YOU!

  67. Leszek says:

    Hi, thank a lot. For me 1-7 steps solved my issue. 🙂

  68. Aerowisp says:

    Thank you. Compatibility solution above works

  69. Thank YOU! Now I will see if I can glue some of my hair back in place.

  70. Jorge Catalá says:

    Thanks for the info. The “Microsoft Fix it 51033 pacth” worked for me on windows 8.1!!!. 😉

  71. Jonathan Monestel says:

    Thank you very much. Windows 8.1 updates made the VPN to fail.

  72. Noam Topaz says:

    This Worked for me too (Thank you very much!) – make sure to reboot after the installation

  73. JohnM says:

    Has this issue reappeared after a Windows Update released on 3/10/2015 for anyone else?

  74. Naveed ALi says:

    try this… it works 100%.
    you dont need to do setting every time after restarting.

    http://www.auburn.edu/oit/news/article.php?id=383

  75. Marvin says:

    Since “Run compatibility troubleshooter” did not work for me (no program started, even if tried from Total Commander run as administrator) on my Win 81. 64 bit machine, I removed the update manually and the error message is gone. However, now I’m getting a

    Connection attempt has timed out. Please verify Internet connectivity.

    despite being able to open any websites in Firefox. Any suggestions? Thanks!

    • Chris says:

      Look at using the Microsoft patch included in the update at the top of this post.

      • Marvin says:

        After I’ve done this Windows Update mentioned new updates which I also installed. History says, latest updates are

        KB2919355
        KB3021952

        now I’m getting “login failed”, despite the password being 100% ok.

      • Marvin says:

        It’s a server problem, as I’ve just found out. Login should be possible soon. Impeccable timing like always with these guys.

        And thanks for posting the fix, Chris.

  76. Doug says:

    About two weeks after I applied the FixIt patch, I started receiving BSOD shortly after establishing a connection. I just uninstalled “vpnui.exe custom database” from my Add/Remove Programs and now the BSOD has gone away. I am assuming that this was the FixIt patch I installed earlier so try that if you start having issues.

  77. bost says:

    Thank you. Worked for me on win8.1

  78. Syed Shah says:

    Your blog and tips have been life saver. I usually don’t leave comments, but this time I am forced to leave as I have consulted your blog for the VPN couple of times.

  79. Jafar says:

    I had the similar problems after update of AnyConnect into version 4.2.00096
    It failed to work after a first ping into remote host, or it worked only with one host, even after a minute it stopped to work completely, although I remained connected.
    After a long testing I found the solution. I made one change into Network Adapter Settings.
    Here is my solution:
    http://jsoft.ws/index.php?key=Other%20ArticlesCisco%20AnyConnect%20in%20Windows%208

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s