AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN 

iPhone / iPad – Using the Cisco AnyConnect Client

KB ID 0000474 

Problem

You have an Apple device and you would like to create a remote VPN connection to a Cisco device running AnyConnect.

Note: This is not a walkthrough on how to configure AnyConnect, for that go here.

Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile – ASA 5510” license. If not you will receive this error.

Solution

1. Firstly you need to download and install the Cisco AnyConnect client from iTunes.

2. Once installed launch the AnyConnect client software.

3. As this is the first time we have launched it we need to configure a connection, select “Add VPN Connection”.

4. Give the connection a name, and enter either public IP of your Cisco Device (Or its public name) > Save.

5. Slide the button from Off to On.

6. If you are using a “Self signed” certificate on the Cisco device you will see this warning, simply click continue.

7. Depending on how your authentication is setup, supply your username and password > Connect.

8. All being well, the client should say connected. (If you get a licensing error see here).

9. You are now connected to your corporate network, all the while you are connected you will see the VPN icon at the top of the screen.

 

Related Articles, References, Credits, or External Links

Android – Using the Cisco AnyConnect Client

Cisco AnyConnect Error (Apple)

Apple iPhone / iPad – Enable Cookies

 

 

Android – Using the Cisco AnyConnect Client

 

KB ID 0000539 

Problem

You have an Android device* and you would like to create a remote VPN connection to a Cisco device running AnyConnect.

Note: This is not a walkthrough on how to configure AnyConnect, for that go here.

Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile” license. If you do not have one you will receive this error.

*Note: At time of writing the AnyConnect client is only available for Samsung, HTC, Lenovo, and Android phones that have been rooted.

Solution

1. First head over to the Android Market, locate and then install the AnyConnect Client on your device.

2. Once installed launch the AnyConnect client.

3. Add New VPN Connection.

4. Tap Description.

5. Give the connection a recognisable name.

6. Set the server address, to either the public IP of your Cisco device, or if you have a public DNS name that points to it e.g. vpn.yourdomain.com you can enter that. (Providing the device can resolve that address using DNS).

7. You should not need to enter Certificate details, unless your IT department have secured the AnyConnect profile with certificates like this. In most cases you would supply a username and password to connect, so this is not relevant. If you are unsure speak to the person/department that looks after your Cisco device.

8. To save the connection click “Done”.

8. To start the connection, simply tap it.

Note: To delete/edit a connection profile tap and hold it.

9. Type in your credentials > OK.

10. When connected you will get a “Green Tick” and the logo at the top of the screen will show a closed padlock. This padlock logo will remain all the time you are connected.

11. To disconnect, simply tap the green tick, and the client software will terminate the connection.

Related Articles, References, Credits, or External Links

Thanks to David Simpson for trusting me with his phone for half an hour.

Android AnyConnect Error

iPhone / iPad – Using the Cisco AnyConnect Client