Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2642
Views
0
Helpful
4
Replies

RDP and Anyconnect failure

wm2680001
Level 1
Level 1

‎03-07-2016 04:59 PM - edited ‎02-21-2020 08:43 PM

I am using Anyconnect (ver. 4.2.02075).

VPN is working from desktop, but doesn't work through RDP connection.

In the XML file the following settings about remote session was changed to:

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

but anyconnect doesn't work: error "VPN establishment capability from a remote desktop is disabled.  A VPN connection will not be established."

Can you help with this issue?

Thank you!

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-07-2016 05:54 PM

Hi wm2680001,

Please configure the anyconnect profile (.xml file) to be configured for "AllowRemoteUsers" as shown in the attached snippet.
This will allow the VPN sessions to be originated from remote machines as well.

For future reference:-
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac13vpnxmlref.html#40060

This change would have to be done on the ASA since whenever you try to connect again with the modified policy, it gets updated by the policy pushed from the ASA  and the changes are reverted.

Please have your ASA configured for the mentioned setting so that it can be pushed from the firewall to all the clients.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

wm2680001
Level 1
Level 1
In response to Dinesh Moudgil

‎03-07-2016 06:30 PM

Hi Dinesh, 

You're saying if it isn't done on the ASA, just locally on the machine, the modified policy won't take hold? Is there any possible way to do it just locally and have something that calls a modified profile xml file (which is what I did locally) on the local machine instead of getting it pushed from the ASA?

Thank you

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to wm2680001

‎03-07-2016 06:53 PM

Hi wm2680001

The issue is every time client connects to VPN headend, it tries to fetch and confirm if there were any updates to the xml profile and will inheret them if there were any changes indeed. This is the expected behavior so this has to come from ASA.

Optionally, if you don't want all the users to get that option, you can create a separate group-policy for your account and define modified xml profile from the ASA.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

valgardur
Level 1
Level 1
In response to Dinesh Moudgil

‎09-26-2016 08:41 AM

Having the same problem, and not exactly sure where I can find the anyconnect profile (.xml) file. I tried under "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client" and updated a file called "AnyConnectLocalPolicy.xml".. but I still cannot connect.

I also do not see any attaced snippet.

0 Helpful
Customers Also Viewed These Support Documents