Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco anyconnect VPN client establishment from a remote desktop is disabled.


I have set up an Any connect VPN client profile in ASA 5200. So, before creating an Any connect profile, i have uploaded the Any connect client image into flash (.pkg).It was successfully uploaded.

While creating the profile, i have choosen the AAA server that i created (here its a RADIUS Server), specified the IP pool (192.168.2.x to 192.168.2.x),

and assigned a group policy that i created.

So, in the client side i have installed the Any Connect VPN client in Win XP (version compatible with XP, same as the one that was uploaded into flash).

Entered the IP of ASA in the "connect to" field of Any connect client. So, in the group field, it has auto detected the any connect profile which was created in ASA and i entered username and password and clicked on connect.It has authenticated the user credentials and has displayed the banner present in the group policy.

I accepted the banner, it displayed the security alert,clicked on OK on the alert, immediately after this it has thrown me a warning "VPN establishment capability from a remote desktop is disabled. A VPN coonection will not be established.".

When i click OK on the warning, it has thrown me another warning "Any connect wasn't able to establish a connection to the specified secure gateway.Please try connecting again".

When i searched for this warning, i got a work around which says "you will have to modify the "AnyConnectProfile.tmpl file", which can be found on the machine where the client was installed (its an xml file). You need to change the setting of "'WindowsVPNEstablishment' from "LocalUsersOnly" to "AllowRemoteUsers".

Since i installed the any connect client in XP, i found this xml file in "C:\Documents and Settings\username\Local Settings\ApplicationData\

Cisco\Cisco AnyConnect VPN Client\preferences.xml" . So, is this the same xml file where the change needs to be done? Because,  i havent found the setting "WindowsVPNEstablishment" in this xml file.

So, could any one please tell me where can i find this "AnyConnectProfile.tmpl file", if at all this is where the modification needs to be done.

Any help would be grateful to me.



Everyone's tags (1)
Cisco Employee

Cisco anyconnect VPN client establishment from a remote desktop

Hi Rahul,

this setting is indeed not in the preferences.xml file, which is used for other settings.

The WindowsVPNEstablishment setting is in the xml profile, which can be found in

c:\documents and settings\all users\application data\cisco\cisco anyconnect vpn client\profile

(path will be different when using Anyconnect 3.x, or when using Vista/Win7, or when using a non-english OS).

If there is a .xml file there, edit it. If there is none, edit the .tmpl file and save it as .xml.

Alternatively, use the profile editor in ASDM to create a  profile, and link it to the group-policy. The ASA will then push the  profile to the client after it succesfully connects (but so in your  case, you would have to first connect without using RDP, to be able to  download the profile from the ASA).



CreatePlease login to create content