AnyConnect – ‘VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established’

Advertisement

KB ID 0000546 Dtd 23/08/16

Problem

If you connect to to a client via RDP then try and run the AnyConnect client you will see this error.

VPN establishment capability from a remote desktop is disabled

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: Now with version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

AnyConnect Connects and Disconnects

Profile settings do not allow VPN initiation from a remote desktop.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

AnyConnect Profile Editor

Give the profile a name  > Select a group policy to apply it to > OK.

Assign AnyConnect Profile

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

Allow RDP AnyConnect

Apply the changes, and then save to the running configuration.

ASDM Save changes

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

anyconnect profile editor

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

vpn profile editor

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

anyconnect profiel editor allowremoreusers

4. Save the profile somewhere you can locate it quickly.

create anyconnect profile

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

upload anyconnect profile

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

enforce anyconnect settings

7. Make sure the file uploads correctly > Close.

ssl vpn settings

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

enforce profile with anyconnect

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Original Article Written 20/12/11

Install and Configure Cisco ASA5500 AnyConnect SSL VPN 

Original article written 03/03/16

Author: Migrated

Share This Post On