06-28-2017 06:49 PM - edited 02-21-2020 09:20 PM
The new Cisco AnyConnect ver 3.1.10010, does not allow a VPN connection during an RDP session in Windows 10 Pro. ( Remote Desktop / Terminal Services )
The old Cisco VPN Client which allowed VPN from an RDP session does not work in a Windows 10 environment.
Error message is:
"VPN establishment capability from a remote desktop is disabled. A VPN connection wil not be established"
I have looked in the ELS-IMelAde-TCP.XML connection profile and the settings seem to allow it according to the Cisco VPN XML Reference ( Table A-19 )
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
AnyConnect works perfectly on same Windows 10 PC with normal local log on.
Any suggestions or settings to enable VPN from RDP session?
06-28-2017 08:55 PM
Is split tunnelling also enabled?
If it is not, that will override the two settings you mentioned.
06-28-2017 10:20 PM
Hi Marvin,
Is this a parameter line that I can add to my xml profile which AnyConnect loads on startup?
I do not have access to ASDM, the Cisco xml profile editor, so I would have to use a web browser to edit.
Please advise how to enable this feature
Thanks
Paul
Below is my xml profile
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.xmlsoap.org/encoding/">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"/>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false </RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>xxx-xxxxx-TCP</HostName>
<HostAddress>xxxx.xxx.xxx.xx</HostAddress>
<UserGroup>xxx-xxxxxx-xxxx</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>
06-28-2017 10:20 PM
Sorry but the split tunnel bit is done on the VPN server side only. The setting can be inferred from a connected client by lookig at the VPN details and seeing if all routes (0.0.0.0/0) or not are being pushed to the client.
Also, changing your xml profile locally does not work in general because the ASA will check your local file hash at the time of connection. If it is found to be different than that of the profile stored on the ASA, it will overwrite your local copy with a fresh updated one from the ASA.
This ensures that the administrator policy settings are always the ones used by all clients.
p.s. You may want to redact your organization's host address out of your posting.
06-28-2017 11:28 PM
Hi Marvin.
Just want to say you have been a great help. I run an OpenVPN server for my small business, so have some basic VPN Server/Client config knowledge. AnyConnect is new to me.
In this case I am only the client, and the AnyConnect VPN server is controlled by the Australian Tax Office, that was the host XXXX in the profile above.
http://softwaredevelopers.ato.gov.au/AnyConnect
We had to use the new AnyConnect VPN client software as the older Cisco VPN is not supported in Windows 10. When we upgraded to Windows 10 Pro we then lost VPN ability during RDP sessions, a very important productivity feature for our remote latop access.
Apparently AnyConnect VPN client will work with a hosted windows server provider. I suspect the AnyConnect VPN server pushes a profile that recognises a hosted Windows Server. This must allow simlutaneous VPN/RDP as RDP is needed to access the hosted terminal server.
06-29-2017 01:32 AM
It can definitely be done - I have done it myself on multiple systems.
However if the admin of the VPN has not taken into account the need to do so, it will prevent you from having the ability to make any client side changes to override that.
The bottom line is that, with AnyConnect, the VPN admin has to make any necesary changes for the problem you are reporting to be addressed.
06-29-2017 05:38 PM
I have put in a request with the Tax Office technical help asking if their AnyConenct VPN server has enabled Split Tunnelling. This may take a while as I have to go through a help desk system.
I have also put in a request with the Tax software developer ( this is the app which uses AnyConenct to upload data) just in case they have direct access to the server admin in the Govt Department.
I will keep you posted.
08-02-2017 01:00 AM
I don't think I will get a reply soon.
The help desk expert was unable to help me, so I requested a supervisor to ring back. That was a few weeks ago.
07-31-2023 02:39 PM
I am also having the same problem in ASA 5515, users can able to access connect anyconnect VPN but they are unable to connect RDP from the inside server, even though they did not ping the inside internal server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide