cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15938
Views
0
Helpful
13
Replies

AnyConnect 2.3.254

hasmas_84
Level 1
Level 1

Hi

I have a problem with the new feature in AnyConnect 2.3.254 that makes it possible to establish a VPN inside a Windows XP SP2 RDP connection.

I've replaced the following string: "<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>" with "<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>" in my profile.xml inside "c:\documents and settings\all users\application data\cisco\cisco anyconnect vpn client\profile\"

However, when I try to establish a VPN via RDP, I get the message: "VPN Establishment capability from a remote desktop is disabled. A VPN connection will not be established."

I do use split tunneling on the VPN network that I try to connect to. However, I have only upgraded my Anyconnect on my RDP-computer, and not on my Cisco ASA 5505. Is that likely to be the problem? The Cisco still has the 2.2.140 pkg-image, together with ASA 8.0(4) and ASDM 6.13.

Hope anyone can help.

Thanks.

Cheers,

Harald

2 Accepted Solutions

Accepted Solutions

I have managed to get this to work, and did so by uploading the modified XML template to the ASA and pushing it down to the client upon connection.

Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:

svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl

You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):

username testuser attributes
webvpn
  svc profiles value MY-PROFILE-NAME

Example using group-policy:

group-policy my-vpn-group attributes
  webvpn
   svc profiles value MY-PROFILE-NAME

I don't think I left anything out, but if you continue to have trouble let me know.

James

View solution in original post

Hi Harald,

The 'AnyConnectProfile.tmpl' file can be found on a client workstation that has the AnyConnect client installed on it. You would modify the settings in that file, and then upload that template to each ASA. Once the user or group attributes have been modified on each ASA, you should be good to go.

James

View solution in original post

13 Replies 13

drolemc
Level 6
Level 6

The AnyConnect client disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, then the VPN connection is terminated.

Here is the XML profile that will resolve your issue.

http://asapedia/index.php/Launch_anyconnect_within_RDP_session#Solution:

Thanks for your help. However, the link you provided does not work. It has no top level domain, nor did google provide any links for asapedia.

I've done some more testing. An upgrade to xx.2.3.0254-k9.pkg in the ASA 5505 did not help.

I was also able to establish a vpn connection from my computer, then RDP to that computer, without the VPN getting disconnected.

However, my problem with establishing a vpn connection inside a RDP session still remains unsolved.

Anyone else gotten this to work? Do I need to configure anything on the ASA 5505, or should I only change the XML-profile config?

Harald

Same exact problem here. Just upgraded to asa 8.2(1) and asdm 6.2.1. That did not help at all. Must be some kind of setting in the ASA. Did you get it figured out yet?

Unfortunately, no luck so far. I'm still running version 8.0(4) though. Please post a reply if you solve the problem.

Thanks.

Hello, same problem here. Somebody has a solution?

Thanks

I'd like the tunnel to stay active during a logoff. This makes things like profile creation and password synch much easier.

I have managed to get this to work, and did so by uploading the modified XML template to the ASA and pushing it down to the client upon connection.

Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:

svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl

You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):

username testuser attributes
webvpn
  svc profiles value MY-PROFILE-NAME

Example using group-policy:

group-policy my-vpn-group attributes
  webvpn
   svc profiles value MY-PROFILE-NAME

I don't think I left anything out, but if you continue to have trouble let me know.

James

Thanks a lot Mr. Denton!

This really helped me a lot on the way solving the problem. However, I have around 10 different ASAs pr. now, and they don't have the profile settings on them. Shouldn't be too much work getting the profiles on the boxes, but the best thing would be to only connect to a ASA with the correct profile, and then use that profile for all the other ASAs. Any tips in that direction?

Thanks again.

Harald

Hi Harald,

The 'AnyConnectProfile.tmpl' file can be found on a client workstation that has the AnyConnect client installed on it. You would modify the settings in that file, and then upload that template to each ASA. Once the user or group attributes have been modified on each ASA, you should be good to go.

James

Thanks again. I will do the update for all the ASAs I have running. Altough, I wish it would be a setting that you can adjust locally, regardless of wether the ASA sends out the "correct" profile file or not.

Harald

To make your life a little easier, you can try the beta Profile Editor utility on CCO.  All you have to do is configure the AnyConnect features that you want via the GUI and it will spit out the XML file.

http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=Profile+Editor&mdfid=282414594&sftType=VPN+Client+Tools+and+Utilities&optPlat=&nodecount=4&edesignator=null&modelName=Cisco+VPN+Client+Tools&treeMdfId=268438162&modifmdfid=null&imname=&tr...

You're a beast!  Good work buddy! This helped me tonight

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: