cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22394
Views
5
Helpful
8
Replies

AnyConnect does not allow VPN during RDP session

The new Cisco AnyConnect ver 3.1.10010,  does not allow a VPN connection during an RDP session in Windows 10 Pro. ( Remote Desktop / Terminal Services )

The old Cisco VPN Client which allowed  VPN from  an RDP session does not work in a Windows 10 environment.

Error message is:

"VPN establishment capability from a remote desktop is disabled. A VPN connection wil not be established"

I have looked in the ELS-IMelAde-TCP.XML connection profile and the settings seem to allow it according to the Cisco VPN XML Reference ( Table A-19 ) 
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

AnyConnect works perfectly on same Windows 10 PC with normal local log on.

Any suggestions or settings to enable VPN from RDP session?

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

Is split tunnelling also enabled?

If it is not, that will override the two settings you mentioned.

Hi Marvin,

Is this a parameter line that I can add to my xml profile which AnyConnect loads on startup?

I do not have access to ASDM, the Cisco  xml profile editor, so I would have to use a web browser to edit.

Please advise how to enable this feature

Thanks

Paul

Below is my xml profile

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.xmlsoap.org/encoding/">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"/>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false </RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>xxx-xxxxx-TCP</HostName>
<HostAddress>xxxx.xxx.xxx.xx</HostAddress>
<UserGroup>xxx-xxxxxx-xxxx</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>

Sorry but the split tunnel bit is done on the VPN server side only. The setting can be inferred from a connected client by lookig at the VPN details and seeing if all routes (0.0.0.0/0) or not are being pushed to the client. 

Also, changing your xml profile locally does not work in general because the ASA will check your local file hash at the time of connection. If it is found to be different than that of the profile stored on the ASA, it will overwrite your local copy with a fresh updated one from the ASA.

This ensures that the administrator policy settings are always the ones used by all clients.

p.s. You may want to redact your organization's host address out of your posting.

Hi Marvin.

Just want to say you have been a great help. I run an OpenVPN server for my small business, so have some basic VPN Server/Client config knowledge. AnyConnect is new to me.

In this case I am only the client, and the AnyConnect VPN server is controlled by the Australian Tax Office, that was the host XXXX in the profile above.

http://softwaredevelopers.ato.gov.au/AnyConnect

We had to use the new AnyConnect VPN client software as the older Cisco VPN is not supported in Windows 10. When we upgraded to Windows 10 Pro we then lost VPN ability during RDP sessions, a very important productivity feature for our remote latop access.

Apparently AnyConnect VPN client will work with a hosted windows server provider. I suspect the AnyConnect VPN server pushes a profile that recognises a hosted Windows Server. This must allow simlutaneous VPN/RDP as RDP is needed to access the hosted terminal server.

It can definitely be done - I have done it myself on multiple systems.

However if the admin of the VPN has not taken into account the need to do so, it will prevent you from having the ability to make any client side changes to override that.

The bottom line is that, with AnyConnect, the VPN admin has to make any necesary changes for the problem you are reporting to be addressed.

I have put in a request with the Tax Office technical help asking if their AnyConenct VPN server has enabled Split Tunnelling.  This may take a while as I have to go through a help desk system.

I have also put in a request with the Tax software developer ( this is the app which uses AnyConenct to upload data) just in case they have direct access  to the server admin in the Govt Department.

I will keep you posted.

I don't think I will get a reply soon.

The help desk expert was unable to help me, so I requested a supervisor to ring back. That was a few weeks ago.

Venkatesh3
Level 1
Level 1

I am also having the same problem in ASA 5515, users can able to access connect anyconnect VPN but they are unable to connect RDP from the inside server, even though they did not ping the inside internal server.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: