11-08-2023 09:30 AM
I have users connecting to virtual desktops in Azure running Windows 11. For some reason they cannot connect to a sslvpn we have setup in AWS. In the process they successfully authenticate against saml via Okta and then they pass authorization we are running on the ASAv via a clearpass policy looking up attributes on a LDAP database. But as they accept the banner they see these messages and are disconnected.
Ours issue is after we connect to a remote windows machine through RDP, we are not able to connect to VPN from that remote machine. Same machine if I connect remotely through Citrix Workspace, I can connect to VPN (in the remote machine).
This appears to be a known issue that there was a workaround for by changing LocalUsersOnly to AllowRemoteUser in the client profile:
<WindowsVPNEstablishment>AllowRemoteUser</WindowsVPNEstablishment>
We did this and applied the client to the group-policy but we still get the same results. I see in this community board that this was a working workaround about a year or so ago but I is still failing. Can clients connecting to RDP sessions successfully connect to ASA sslvpn? I do have clients running in AWS Workspaces that can use the VPN.
Solved! Go to Solution.
11-15-2023 04:06 AM - edited 11-15-2023 04:06 AM
The workaround is correct you need to have that in the profile, I guess the issue is that the profile is never downloaded from the headend to your device.
Either you need to connect from the same PC via a non RDP method at-least once to download the profile or try manually copying the XML file to the AnyConnect Program Data location (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile if you use AnyConnect 4.10.x series OR C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile if you use Secure Client 5.x series) and connect again from the RDP to see if the connection succeeds.
11-15-2023 04:06 AM - edited 11-15-2023 04:06 AM
The workaround is correct you need to have that in the profile, I guess the issue is that the profile is never downloaded from the headend to your device.
Either you need to connect from the same PC via a non RDP method at-least once to download the profile or try manually copying the XML file to the AnyConnect Program Data location (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile if you use AnyConnect 4.10.x series OR C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile if you use Secure Client 5.x series) and connect again from the RDP to see if the connection succeeds.
11-15-2023 10:35 AM
Thank you for the reply but unfortunately I cannot resolve this issue with the client profile. I exported the profile file from the firewall using the asdm and uploaded to the VDI and placed it in the folder you stated but I could not connect and got the same error.
On the ASA I am using a separated tunnel profile that uses a separate group-policy so that the profile is only applied to VDI users. How can I troubleshoot to confirm that the client is getting the profile or using the profile?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide