I recently needed to be able to use the Cisco VPN Client (I’m specifically referring to version: 5.0.07.0410 on 32bit Windows and version: 5.0.07.0440 on 64bit Windows, although this fix would apply to earlier versions as well) on my Windows 8.1 (32bit Windows) tablet (Acer Iconia), but was not able to connect to my remote VPN endpoint. I kept getting the this error: Reason 440: Driver Failure. I searched this error in Google and tried all sorts of fixes and patches and things from articles everywhere. No matter what I tried (for hours on end), the error message was always the same. Eventually, I just gave up.

Today, I decided to have one more look at the issue. I realized I hadn’t looked somewhere quite obvious; The Windows Event Viewer. Sure enough, under Windows Logs –> System, I found the following error message:

The Cisco Systems Inc. IPSec Driver service failed to start due to the following error: 
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

So, to put it simply, Windows Driver Signature Enforcement (DSE) was at fault. Not the software VPN Client, not DNE, not the drivers, not Windows Update, and not having other VPN clients installed. It was simply DSE.

I tried disabling DSE (and that might be all you have to do), but it turned out I had to go one step further, because I couldn’t disable DSE.

Why?

Well, my tablet has something called ‘Secure Boot’ enabled. When I tried disabling DSE, I received a message telling me it wasn’t possible to disable it because I have Secure Boot enabled. So I did a quick search on how to Disable Secure Boot. I’d gone looking for the setting previously, but couldn’t find it because I had to set a user / system password in the BIOS first. After I set a password, voila! The Secure Boot setting appeared! After disabling Secure Boot, I started Windows 8.1 and was immediately able to use the Cisco VPN Client to connect to my remote VPN endpoint. I didn’t even need to re-install it.

Note: I’m not discrediting all the other articles on the internet and all their work arounds and fixes. They just simply didn’t work for me. If you’re system doesn’t have Secure Boot, than this fix won’t work for you. You’ll either need to disabled DSE or find another solution.

The thing that caught me up, was that I have another PC with Windows 8.1 on it, and all I had to do was install the Cisco VPN client and connect. It just worked straight out of the box. No fixes required. The only difference (other than it being a PC) was that it doesn’t have Secure Boot (older BIOS).

I recently ran into a situation with a new Cisco ASA 5512-X IPS where I needed to fully reset it back to its factory default settings (ok, I entered a password incorrectly, twice. Thankfully it wasn’t in production yet). After some searching and reading, I came up with the following (get out of jail) process.

Note 1: I’m not a Cisco expert or engineer of any sort, so please proceed with absolute care. You can’t really destroy anything with this process, but misuse of this guide could cause undesired results.

Note 2: I’m not a Cisco export or engineer of any sort, however, I don’t see any reason why the following guide couldn’t be used at the very least, on any 5500 series Cisco ASA device. It may even apply to more devices than I am aware of. Again, please proceed with absolute care if you are using this guide on anything that is not a Cisco ASA 5512-X IPS.

Note 3: If you just want to reset the configuration and you haven’t lost access to the device, follow steps 1 and 2, and then skip down to the bottom.

Step 1.

Connect to the Cisco ASA 5512-X IPS with the serial over ethernet cable. This is otherwise known as the console cable. In most cases, it’s long, thin and light blue in colour. Connect the RJ45 end to the console port of the Cisco ASA 5512-X IPS and the other end to a computer or laptop with a serial port. You can’t just use a network cable. It won’t work.

Step 2.

Use PuTTY (download here), to connect to the Cisco ASA 5512-X IPS console. Change the Connection Type to Serial. In most cases, the Serial Line value will be COM1 with a Speed (aka baud rate) of 9600. Click the [Open] button to connect. If you have other devices connected via serial, you may need to substitute COM1 for COM2, or COM3, or COM4, etc. You’ll know when you’ve struck gold, because you’ll be able to see the Cisco ASA 5512-X IPS prompt.

(click here to skip to the bottom if you’re just factory resetting the configuration)

Step 3.

Immediately restart the Cisco ASA 5512-X IPS. You can either use the # reload command (after using # enable first, if you’re locked out this won’t be possibleor physically switch the Cisco ASA 5512-X IPS off, and then on again (handy if you’re locked out).

Step 4.

Pay attention! When you see the Booting from ROMMON prompt in the console window (there’ll be a 10 second count down timer), press the ESC key to interrupt. You’ll be quickly dropped to a rommon #1> prompt.

Step 5.

Enter the command: confreg. You’ll see a value that follows the text: Current Configuration Register: 0x00000001. Note yours down. This specific value (0x00000001) tells the Cisco ASA 5512-X IPS to boot normally, reading the previously saved configuration into memory.

Step 6.

You’ll be prompted to change the configuration now. Type a Y.

Step 7.

Answer the prompts as follows:

enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: y (this it the value that's most important to us at this step)
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: n

Step 8.

After the last prompt above, you’ll see a summary as follows:

Current Configuration Register: 0x00000041
Configuration Summary:
boot default image from Flash
ignore system configuration
Update Config Register (0x41) in NVRAM...
rommon #2>

Step 9.

We can now boot the Cisco ASA 5512-X IPS with the command: # boot

Step 10.

Any system configuration previously saved will be skipped, and a factory default configuration will be loaded. Now it’s time to reset the global (cisco) password.

Step 11.

At the ciscoasa> prompt, type: enable (press enter). The password will be nothing (just press enter again).

Step 12.

Copy the current startup configuration to the running configuration using the following command: # copy startup-config running-config (press enter).

Step 13.

Enter global configuration mode by running the following command: # configure terminal

Step 14.

Set the global password back to blank (nothing) with the following commands:

# password password
# enable password password
# username name password password

Step 15.

Copy the current running configuration to the startup configuration using the following command: # copy running-config startup-config (press enter).

Step 16.

Restart the Cisco ASA 5512-X IPS. You can either use the # reload command (after using enable firstor physically switch the Cisco ASA 5512-X IPS off, and then on again.

Step 17.

Pay attention! When you see the Booting from ROMMON prompt (there’ll be a 10 second count down timer), press the ESC key to interrupt. You’ll be quickly dropped to a rommon #1> prompt.

Step 18.

Enter the command: confreg. You’ll see a value that follows the text: Current Configuration Register: 0x00000041. Note yours down. This specific value tells the Cisco ASA 5512-X IPS to boot normally, skipping any previously saved configuration, loading a factory default configuration into memory.

Step 19.

You’ll be prompted to change the configuration now. Type a Y.

Step 20.

Answer the prompts as follows:

enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: n (this it the value that's most important to us at this step)
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: n

Step 21.

After the last prompt above, you’ll see a summary as follows:

Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Update Config Register (0x1) in NVRAM...
rommon #2>

Step 22.

We can now boot the Cisco ASA 5512-X IPS with the command: # boot

Step 23.

The system configuration previously saved will be loaded, with a factory default configuration. You can now proceed to configure your Cisco ASA 5512-X IPS as new again!

 

Factory Reset the Configuration Only

  1. At the console prompt ciscoasa> type enable (press enter)
  2. If prompted, enter your password and press enter (the default password is nothing, just press enter).
  3. Type: # configure terminal (press enter)
  4. Type: # configure factory-default (press enter)
  5. Type: # reload save-config noconfirm (press enter)

Credits

The following links made this guide possible:

ASA Password Recovery

Restoring Factory Defaults to the Cisco ASA5505  Firewall via the Console

Howto reset factory defaults Cisco ASA Series 5500 series 5505 5510 5520

Cisco ASA 5500-X Series Quick Start Guide

Cisco ASA 5512-X Adaptive Security Appliance