cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
60786
Views
10
Helpful
13
Replies

Unable to connect Remote Desktop when Cisco VPN client is connected

vikas.gupta_ext
Level 1
Level 1

Hi ,

 I am unable to take Remote desktop server through Cisco VPN client which is installed on a PC. While without connecting VPN able to login on same server with user AD credential but through VPN not able to do. While other users are working fine and able to connect. I deleted VPN profile from the Firewall and created again but still same issue is there.

Getting below error while taking remote desktop :
--------------------------------------------------------------------------------------------------------------------------------
Remote Desktop can't connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.
--------------------------------------------------------------------------------------------------------------------------------

1 Accepted Solution

Accepted Solutions

vikas.gupta_ext
Level 1
Level 1

Dear All,

Thank you so much for your views and support. As i am new in security so solution for me was challenging but at last found the solution post strugling but feeling very good now.

Solution : In Firewall , User was not added in User Group of RDP so post adding the same issue has been resolved.

Config>Firewall>Object>UserGroup

Once again ThankYou Guys ! This is my first experience in Cisco community and it was really gr8 experience.

:)

Regards,

MaddyV

View solution in original post

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

Please check the connection details and make sure the VPN client is establishing a route to the remote server's network.

If that's OK, please check that the user (or group that the user belongs to) is not being given a VPN-ACL at the ASA.

Thank You Sir for your intervention. I have checked all the things suggested by you and specially VPN-ACL all are seems up to the mark. 

Plz find below observation:

1. We are able to take RDP of server when connecting VPN using other user's credential on same system. But particular User is only facing issue.

2. Usually i logged in VPN and take RDP from my system but If i am using reported user's credential on my system --VPN is showing connected but unable to take RDP.

It means there is some issue with VPN profile only ..i just recreated the profile but same issue persisting..

Any other things i can check for this issue..?

Hi Vikas, 

If we compare a working scenario and non-working scenario: 

In working scenario and non-working: 

Send me please "show vpn-se ra-i filter name <user_name>" 

Also does authentication happened against a AAA server? If yes, then what is that server ? 

Is there a specific RADIUS attributes given to that non-working user ? 

Try also to remove the user from the AAA server and re-create it again. I faced similar issue before and this helped resolve it. 

Hi Dina,

Thanks for your response !!

Please find the attachment for show vpn-se ra-i filter name <user_name>

Note: Non-working User - ilyas     & Working User-Imtiaz

AAA server Authentication is happening through our AD server and that is fine because non working user (ilyas) is able to take remote desktop without connecting VPN but he is facing issue only when he try to connect with VPN.

what else i can do in troubleshooting ? Please advise.

Hi Vikas, 

Comparing working user and non-working user. Working user is able to transmit traffic: 

Username     : imtiaz                 Index        : 9819
Assigned IP  : 10.164.205.143         Public IP    : X.X.X.X
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : AES256 AES128          Hashing      : SHA1 SHA1
Bytes Tx     : 92011                  Bytes Rx     : 108861

Where non-working user is un-able to do that: 

Username     : ilyas                  Index        : 9820
Assigned IP  : 10.164.205.143         Public IP    : X.X.X.X
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : AES256 AES128          Hashing      : SHA1 SHA1
Bytes Tx     : 0                      Bytes Rx     : 5493

User "ilyas" is unable to reach anything? Or only RDP to server ? Try to ping anything from this user, is it pingable ? 

Do you have any Identity firewall setup on your network ? 

Back to our previous question, is their any specific attributes assigned to that user from the AD ? 

Hi Dina,

Yes , user "ilyas" is unable to reach anything .. and ICMP is disable so nothing is pingable.

Yes i have two firewall setup in my network.

There is no specific attribute in AD for that non working user ..

Please refer route print when we connected VPN (It seems fine).

Hi Vikas, 

Please see this link to see what I mean so far with Identity firewall: 

https://supportforums.cisco.com/document/80646/asa-idfw-identity-firewall-step-step-configuration

Let me know also if we have any Identity firewall setup on our ASA 

Also have a check for any dynamic access policies. 

show running-config all dynamic-access-policy-record

One other thing - are both users RDPing to the server via its IP address or are they using DNS FQDN?

If the latter, verify that it can resolve for the non-working user via nslookup.

Hi Marvin,

Working and non workinf user won't be able to ping RD server as ICMP is blocked. And even both user are not able to ping DNS also..

Monitoring > VPN > VPN Statistics > Sessions : (ByteTx is showin as 0 while ByteRx is showing connections so it means non working unable to transfer the traffif ...)

vikas.gupta_ext
Level 1
Level 1

Dear All,

Thank you so much for your views and support. As i am new in security so solution for me was challenging but at last found the solution post strugling but feeling very good now.

Solution : In Firewall , User was not added in User Group of RDP so post adding the same issue has been resolved.

Config>Firewall>Object>UserGroup

Once again ThankYou Guys ! This is my first experience in Cisco community and it was really gr8 experience.

:)

Regards,

MaddyV

Hi Maddy, 

Yes this what I was suspect here, that's why I asked if we have any Identity Firewall Configuration on your ASA. 

Nice so far to see your issue resolved :) 

:)

Dear MaddyV,
I am also getting the similar error message after being connected to the VPN,as reported by Vikas in the original post. But I could not find the path you have mentioned to add the user in the User Group of RDP, could you please elaborate more on this to help me.
Thanks in advance !! I am waiting for your reply as it is urgent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: