Starting AnyConnect VPN through RDP Session

Answered Question
Oct 30th, 2012

Hi,

We have AnyConnect (ver 3.1.01065) configured on our ASA5520 boxes. VPN is working fine from the desktop, but I also need the ability to establish a VPN connection through a RDP connection (i.e. I'm using RDP to connect to a PC which has AnyConnect installed on, then trying to establish a VPN connection).

I've downloaded the Cisco VPN Profile Editor, chaned the <WindowsVPNEstablishment> option to "AllowRemoteUsers". Then applied the profile to the relevant Group Policy. Connected VPN from the PC (not through RDP), so that it downloads the new profile, and then disconnected again.

However, I still can't start VPN through an RDP connection. (Error is "VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established".)

I've checked the XML file on the local PC to confirm the profile has been downloaded (and is has, and I can see the AllowRemoteUsers option.

This also happened with the previous version of AnyConnect (3.0.xxxx).

The PC's local routing tables look fine, and I can't see any conflicts that would cause the RDP session to drop.

Also - If I connect VPN, then RDP onto the PC, both the VPN and RDP sessions work fine.

Any ideas would be appreciated!

Thanks

Tony

I have this problem too.
0 votes
Correct Answer by jportugu about 1 year 5 months ago

Hi Tony,

For this to work both, the ASA and the client must have the same XML profile.

I just tested this with AC 3.1 and ASA 8.4 and it worked just fine.

I  am including the XML file.

*BTW, make sure the profile is assigned to the correct group-policy.

HTH.

Portu.

Please rate any helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
jportugu Tue, 10/30/2012 - 11:32

Hi Tony,

For this to work both, the ASA and the client must have the same XML profile.

I just tested this with AC 3.1 and ASA 8.4 and it worked just fine.

I  am including the XML file.

*BTW, make sure the profile is assigned to the correct group-policy.

HTH.

Portu.

Please rate any helpful posts

Attachment: 
tonymitchell Wed, 10/31/2012 - 03:57

Hi Portu,

Thanks for your reply, and thanks for confirming that it works with AC 3.1 and ASA 8.4 (I'm using the same ASA version).

It looks like the issue was that I created the profile with the standalone Cisco VPN Profile Editor, saved it, uploaded it to the ASA, I then added a new profile on the ASA (in the Cisco AnyConnect Profiles section), and specified the file... however, it appears that I over wrote the uploaded profile, as the WindowsVPNEstablishment was set to LocalUsers. Once I changed it to AllowRemoteUsers and applied the config, then deleted the profiles from the client, it worked!

Simple mistake - but easily done!!

Thanks again

Tony

Actions

Login or Register to take actions

This Discussion

Posted October 30, 2012 at 9:56 AM
Stats:
Replies:3 Avg. Rating:5
Views:6249 Votes:0
Shares:0
Tags: vpn, rdp, anyconnect
+
Categories: AnyConnect
+

Related Content

Discussions Leaderboard