Secure Client app and AnyConnect on ASA

RANT · ‎02-26-2025

We are currently using AnyConnect 4 on an ASA for remote users. I have a vendor attempting to VPN and his device is running the Cisco Secure Client app, and he is getting an error message stating "VPN establishment capability for a remote user is disabled. A VPN connection will not be established." and "Cisco Secure Client was not able to establish a connection to the specified secure gateway. Please try connecting again."

Is there an additional license I need on my ASA to support users utilizing Cisco Secure Client?

Mark Ftc · ‎03-06-2025

My initial thought was wondering if you're running ASA code version 9.13 or older. Secure Client (5.x) is not supported on ASA code version older than 9.14.

However, upon some research I found this Cisco documentation:
https://www.cisco.com/c/en/us/support/docs/security/secure-access/221175-troubleshoot-secure-access-error-vpn-es.html

This references Cisco Secure Access, however the fix is within the AnyConnect .xml profile - so you can ignore that part (the secure access part).

Does your vendor use a .xml profile to initiate the connection to your ASA? Does he try to connect within an RDP connected machine? If so, then I would suggest the vendor try modifying the 'Windows VPN Establishment' value from 'Local User Only' to 'All Remote Users'. If this test works, then you will likely need to update the .xml profile you have associated to the group-policy he is using to connect to your ASA.

Another test might be to have him try directly connect to your ASA-VPN tunnel-group without leveraging the .xml profile (assuming he is using a .xml profile). He can do this by typing in the IP/URL-Alias for the tunnel-group he uses to connect directly into the AnyConnect client field.