Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13455
Views
0
Helpful
1
Replies

Cisco anyconnect VPN client establishment from a remote desktop is disabled.

rahulpratheek
Level 1
Level 1

‎01-27-2012 02:14 AM - edited ‎02-21-2020 05:50 PM

Hi,

I have set up an Any connect VPN client profile in ASA 5200. So, before creating an Any connect profile, i have uploaded the Any connect client image into flash (.pkg).It was successfully uploaded.

While creating the profile, i have choosen the AAA server that i created (here its a RADIUS Server), specified the IP pool (192.168.2.x to 192.168.2.x),

and assigned a group policy that i created.

So, in the client side i have installed the Any Connect VPN client in Win XP (version compatible with XP, same as the one that was uploaded into flash).

Entered the IP of ASA in the "connect to" field of Any connect client. So, in the group field, it has auto detected the any connect profile which was created in ASA and i entered username and password and clicked on connect.It has authenticated the user credentials and has displayed the banner present in the group policy.

I accepted the banner, it displayed the security alert,clicked on OK on the alert, immediately after this it has thrown me a warning "VPN establishment capability from a remote desktop is disabled. A VPN coonection will not be established.".

When i click OK on the warning, it has thrown me another warning "Any connect wasn't able to establish a connection to the specified secure gateway.Please try connecting again".

When i searched for this warning, i got a work around which says "you will have to modify the "AnyConnectProfile.tmpl file", which can be found on the machine where the client was installed (its an xml file). You need to change the setting of "'WindowsVPNEstablishment' from "LocalUsersOnly" to "AllowRemoteUsers".

Since i installed the any connect client in XP, i found this xml file in "C:\Documents and Settings\username\Local Settings\ApplicationData\

Cisco\Cisco AnyConnect VPN Client\preferences.xml" . So, is this the same xml file where the change needs to be done? Because,  i havent found the setting "WindowsVPNEstablishment" in this xml file.

So, could any one please tell me where can i find this "AnyConnectProfile.tmpl file", if at all this is where the modification needs to be done.

Any help would be grateful to me.

Thanks,

Rahul.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎02-03-2012 04:37 AM

Hi Rahul,

this setting is indeed not in the preferences.xml file, which is used for other settings.

The WindowsVPNEstablishment setting is in the xml profile, which can be found in

c:\documents and settings\all users\application data\cisco\cisco anyconnect vpn client\profile

(path will be different when using Anyconnect 3.x, or when using Vista/Win7, or when using a non-english OS).

If there is a .xml file there, edit it. If there is none, edit the .tmpl file and save it as .xml.

Alternatively, use the profile editor in ASDM to create a  profile, and link it to the group-policy. The ASA will then push the  profile to the client after it succesfully connects (but so in your  case, you would have to first connect without using RDP, to be able to  download the profile from the ASA).

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents