cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31937
Views
15
Helpful
4
Replies

Starting AnyConnect VPN through RDP Session

tonymitchell
Level 1
Level 1

Hi,

We have AnyConnect (ver 3.1.01065) configured on our ASA5520 boxes. VPN is working fine from the desktop, but I also need the ability to establish a VPN connection through a RDP connection (i.e. I'm using RDP to connect to a PC which has AnyConnect installed on, then trying to establish a VPN connection).

I've downloaded the Cisco VPN Profile Editor, chaned the <WindowsVPNEstablishment> option to "AllowRemoteUsers". Then applied the profile to the relevant Group Policy. Connected VPN from the PC (not through RDP), so that it downloads the new profile, and then disconnected again.

However, I still can't start VPN through an RDP connection. (Error is "VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established".)

I've checked the XML file on the local PC to confirm the profile has been downloaded (and is has, and I can see the AllowRemoteUsers option.

This also happened with the previous version of AnyConnect (3.0.xxxx).

The PC's local routing tables look fine, and I can't see any conflicts that would cause the RDP session to drop.

Also - If I connect VPN, then RDP onto the PC, both the VPN and RDP sessions work fine.

Any ideas would be appreciated!

Thanks

Tony

1 Accepted Solution

Accepted Solutions

Hi Tony,

For this to work both, the ASA and the client must have the same XML profile.

I just tested this with AC 3.1 and ASA 8.4 and it worked just fine.

I  am including the XML file.

*BTW, make sure the profile is assigned to the correct group-policy.

HTH.

Portu.

Please rate any helpful posts

View solution in original post

4 Replies 4

Hi Tony,

For this to work both, the ASA and the client must have the same XML profile.

I just tested this with AC 3.1 and ASA 8.4 and it worked just fine.

I  am including the XML file.

*BTW, make sure the profile is assigned to the correct group-policy.

HTH.

Portu.

Please rate any helpful posts

Hi Portu,

Thanks for your reply, and thanks for confirming that it works with AC 3.1 and ASA 8.4 (I'm using the same ASA version).

It looks like the issue was that I created the profile with the standalone Cisco VPN Profile Editor, saved it, uploaded it to the ASA, I then added a new profile on the ASA (in the Cisco AnyConnect Profiles section), and specified the file... however, it appears that I over wrote the uploaded profile, as the WindowsVPNEstablishment was set to LocalUsers. Once I changed it to AllowRemoteUsers and applied the config, then deleted the profiles from the client, it worked!

Simple mistake - but easily done!!

Thanks again

Tony

Tony,

You are welcome!

Have a good one

Thanks, Tony, this helped me.  Editing the profile worked.

 

Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: