VPN establishment capability from a remote desktop is disabled

Unanswered Question
Dec 24th, 2009

Hi all,

I have installed windows7 prof 64bit primary OS. Also I am using Windows XP on virtual PC. When I try to connect VPN through the XP. I got the below error  VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.

Pls help me to fix this.

I have this problem too.
6 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
busterswt Thu, 12/24/2009 - 16:55

To get this to work you'll probably want the latest AnyConnect client, and you'll need to modify the AnyConnectProfile.tmpl file. The file can be found on your machine (once the client is installed). It's an XML-based file, and contains a setting called 'WindowsVPNEstablishment'. Modify the setting to say 'AllowRemoteUsers' instead of 'LocalUsersOnly'.

You may be able to save the file and connect without a problem. However, I had to push the modified template from the ASA to the client to get it working properly.

When you've modified the AnyConnectProfile.tmpl with the necessary changes, upload that modified file to the ASA using the CLI (tftp) or ASDM. A good place is just "disk0:/AnyConnectProfile.tmpl".

In the webvpn config mode, create a new profile using that file:

ciscoasa(config)# webvpn

ciscoasa(config-webvpn)# svc profiles MY-PROFILE disk0:/AnyConnectProfile.tmpl

Next, you'll need to associate this profile on either a per-group or per-user basis, or both:

ciscoasa(config)# username testuser attributes
ciscoasa(config-username-attributes)# webvpn
ciscoasa(config-username-webvpn)# svc profiles value MY-PROFILE

ciscoasa(config)# group-policy my-vpn-group attributes
ciscoasa(config-group-attributes)# webvpn
ciscoasa(config-group-webvpn)# svc profiles value MY-PROFILE

The next time you connect with the AnyConnect VPN client, the new profile should be downloaded and applied immediately. The changes you made to AllowRemoteUsers should allow you to connect via your RDP session without error.

- James

kbraghunath Fri, 12/25/2009 - 05:01


Thanks for your answer.I forgot to mension that I am using cisco anytime web client. So each time when I connect using IE URL. It will download any connect.

Where the file will be stored ?



busterswt Fri, 12/25/2009 - 17:20

I'm not sure where the file is stored, but you can just search for it on your machine and it should be there after the client has been installed the first time. If the client is being installed every time you hit the URL in the browser, your best bet is to push the modified template out to the clients upon connecting, as I described in my original reply.

Good luck!


Boris Uskov Tue, 11/17/2015 - 23:44

On windows machine the profile file is usually stored at:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Hello Pete,

I actually tried your suggestion to no avail. I am still looking for a fix. I am using ASA version 8.4(7)26 and Cisco AnyConnect anyconnect-win-3.1.10010-k9.pkg

132    -rwx  2137         23:52:56 Sep 23 2014  RA-SSL-Profile.xml

group-policy AnyConnect-GROUP internal
group-policy AnyConnect-GROUP attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-idle-timeout 1440
vpn-filter value VPN_RESTRICT
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel
anyconnect modules value dart
anyconnect profiles value RA-SSL-Profile type user

payala Wed, 08/10/2016 - 12:12

What was the final configuration? I applied what they suggested with no luck. My VPN with Windows XP Mode won't connect, any ideas?


Peter Long Tue, 08/23/2016 - 07:17

All this can now be done in the ASDM in the profile editor!!!!!



This Discussion