cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
306193
Views
15
Helpful
9
Replies

VPN establishment capability from a remote desktop is disabled

kbraghunath
Level 1
Level 1

Hi all,

I have installed windows7 prof 64bit primary OS. Also I am using Windows XP on virtual PC. When I try to connect VPN through the XP. I got the below error  VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.

Pls help me to fix this.

9 Replies 9

busterswt
Level 1
Level 1

To get this to work you'll probably want the latest AnyConnect client, and you'll need to modify the AnyConnectProfile.tmpl file. The file can be found on your machine (once the client is installed). It's an XML-based file, and contains a setting called 'WindowsVPNEstablishment'. Modify the setting to say 'AllowRemoteUsers' instead of 'LocalUsersOnly'.

You may be able to save the file and connect without a problem. However, I had to push the modified template from the ASA to the client to get it working properly.

When you've modified the AnyConnectProfile.tmpl with the necessary changes, upload that modified file to the ASA using the CLI (tftp) or ASDM. A good place is just "disk0:/AnyConnectProfile.tmpl".

In the webvpn config mode, create a new profile using that file:

ciscoasa(config)# webvpn

ciscoasa(config-webvpn)# svc profiles MY-PROFILE disk0:/AnyConnectProfile.tmpl

Next, you'll need to associate this profile on either a per-group or per-user basis, or both:

ciscoasa(config)# username testuser attributes
ciscoasa(config-username-attributes)# webvpn
ciscoasa(config-username-webvpn)# svc profiles value MY-PROFILE
 
 *OR*

ciscoasa(config)# group-policy my-vpn-group attributes
ciscoasa(config-group-attributes)# webvpn
ciscoasa(config-group-webvpn)# svc profiles value MY-PROFILE

The next time you connect with the AnyConnect VPN client, the new profile should be downloaded and applied immediately. The changes you made to AllowRemoteUsers should allow you to connect via your RDP session without error.

- James

Hi,

Thanks for your answer.I forgot to mension that I am using cisco anytime web client. So each time when I connect using IE URL. It will download any connect.

Where the file will be stored ?

Regards,

Raghu

I'm not sure where the file is stored, but you can just search for it on your machine and it should be there after the client has been installed the first time. If the client is being installed every time you hit the URL in the browser, your best bet is to push the modified template out to the clients upon connecting, as I described in my original reply.

Good luck!

James

On windows machine the profile file is usually stored at:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Peter Long
Level 1
Level 1

If your using the version 3 of the client, I don't think the

AnyConnectProfile.tmpl file exists anymore, heres how I solved the problem with version 3,

AnyConnect - 'VPN establishment capability from a remote desktop is disabled. A VPN connection will not 

be established


Pete

PetenetLive

Hello Pete,

I actually tried your suggestion to no avail. I am still looking for a fix. I am using ASA version 8.4(7)26 and Cisco AnyConnect anyconnect-win-3.1.10010-k9.pkg

132    -rwx  2137         23:52:56 Sep 23 2014  RA-SSL-Profile.xml

group-policy AnyConnect-GROUP internal
group-policy AnyConnect-GROUP attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-idle-timeout 1440
vpn-filter value VPN_RESTRICT
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel
webvpn
anyconnect modules value dart
anyconnect profiles value RA-SSL-Profile type user

I take this back. It is working. I am not sure why I coudln't get it to work in the past or if I changed anything in the config between then. in any case, it is working.

What was the final configuration? I applied what they suggested with no luck. My VPN with Windows XP Mode won't connect, any ideas?

Thanks

All this can now be done in the ASDM in the profile editor!!!!!

Pete

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: