Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
2
Replies

VDI in Aruze cannot connect to sslvpn on ASAv

Go to solution
ajamua
Level 1
Level 1

‎11-08-2023 09:30 AM

I have users connecting to virtual desktops in Azure running Windows 11. For some reason they cannot connect to a sslvpn we have setup in AWS. In the process they successfully authenticate against saml via Okta and then they pass authorization we are running on the ASAv via a clearpass policy looking up attributes on a LDAP database. But as they accept the banner they see these messages and are disconnected.

Screenshot 2023-11-08 at 3.00.49 PM.png

Ours issue is after we connect to a remote windows machine through RDP, we are not able to connect to VPN from that remote machine. Same machine if I connect remotely through Citrix Workspace, I can connect to VPN (in the remote machine).

This appears to be a known issue that there was a workaround for by changing LocalUsersOnly to AllowRemoteUser in the client profile:

 <WindowsVPNEstablishment>AllowRemoteUser</WindowsVPNEstablishment>

We did this and applied the client to the group-policy but we still get the same results. I see in this community board that this was a working workaround about a year or so ago but I is still failing. Can clients connecting to RDP sessions successfully connect to ASA sslvpn? I do have clients running in AWS Workspaces that can use the VPN.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee

‎11-15-2023 04:06 AM - edited ‎11-15-2023 04:06 AM

The workaround is correct you need to have that in the profile, I guess the issue is that the profile is never downloaded from the headend to your device. 

Either you need to connect from the same PC via a non RDP method at-least once to download the profile or try manually copying the XML file to the AnyConnect Program Data location (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile if you use AnyConnect 4.10.x series OR C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile if you use Secure Client 5.x series) and connect again from the RDP to see if the connection succeeds.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee

‎11-15-2023 04:06 AM - edited ‎11-15-2023 04:06 AM

The workaround is correct you need to have that in the profile, I guess the issue is that the profile is never downloaded from the headend to your device. 

Either you need to connect from the same PC via a non RDP method at-least once to download the profile or try manually copying the XML file to the AnyConnect Program Data location (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile if you use AnyConnect 4.10.x series OR C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile if you use Secure Client 5.x series) and connect again from the RDP to see if the connection succeeds.

0 Helpful

Go to solution
ajamua
Level 1
Level 1
In response to Pavan Gundu

‎11-15-2023 10:35 AM

Thank you for the reply but unfortunately I cannot resolve this issue with the client profile. I exported the profile file from the firewall using the asdm and uploaded to the VDI and placed it in the folder you stated but I could not connect and got the same error.

On the ASA I am using a separated tunnel profile that uses a separate group-policy so that the profile is only applied to VDI users. How can I troubleshoot to confirm that the client is getting the profile or using the profile?

0 Helpful
Customers Also Viewed These Support Documents