We are working on replacing our tried-and-true Windows Server VPN with Cisco AnyConnect (ASA 5516-X, ASA version 9.10(1)44), largely for Azure AD MFA.

It's working okay, except today we discovered that clients cannot connect when they are a Remote Desktop connection. There is an alert "VPN establishment capability for a remote user is disabled". I found that this should be controlled by the AnyConnect profile. That is deployed to "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\default.xml" on the clients. I found the line that, I believe, controls this:

<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

I updated that from "LocalUsersOnly" to "AllowRemoteUsers" and re-launched AnyConnect. Again, I get the same error message. I opened up the .xml file in the AnyConnect Profile Editor, and that line does seem to correspond to the dropdown setting to allow remote users. 

I then found that the profile can be deployed via the ASA itself. I browse to Configuration > Remote Access VPN -> Network (Client) Access -> AnyConnect Client Profile. There is nothing there to start, and it seems to not want anything added. 

Sometimes, when I click "Add", I get a message stating "Check that you have a proper AnyConnect package installed" (I do, the wizard would not proceed without adding packages) as well as a potential permission error (How does it not know which is the issue?). To solve this I can go to Device Management and edit the user account (admin, the only user account). I make no changes and discard and go back to the AnyConnect Client Profile section and am now able to add a profile. This doesn't happen every time but it does sometimes. I can't find a pattern for that. 

I can upload the xml file (that was generated by the Cisco VPN Profile Editor, and works in the client), give it a name, select the only Group Policy, and hit OK. I get an error message "Input is not a well-formed, schema-compliant XML file. Invalid or unknown schema." It then asks me to save the XML file. No matter where I choose, the error comes up again and then dismisses, and I am back at the Client Profile page, with my new profile there. If I attempt to edit this profile, I get the same error - "Input is not a well-formed, schema-compliant XML file. Invalid or unknown schema.". 

While this profile is present in ASDM, if I attempt to connect to the VPN (Remote Desktop or local, with or without that very same XML file in the ProgramData folder), I get "Cisco AnyConnect automatic profile updates are disabled and the local VPN profile does not match the secure gateway profile". I can't find where to enable the automatic profile updates. I did try logging into the web portal, but all that does is download the .msi file for the VPN again, it does not touch the profile. The profile XML file is exactly the same, generated by the AnyConnect Profile Editor software. When I remove that profile from ASDM, I can connect again but still not via Remote Desktop. To workaround we can log in locally, connect to AnyConnect, then connect with Remote Desktop. Kind of a pain. 

I did find a post about using older Java versions. We typically connect to the ASDM using the bundled OpenJRE which is version 8. I connected with Oracle's Java 8 as well, same errors. Oracle's Java 6 and Java 7 do not allow me to connect to the ASDM at all.