I have installed windows7 prof 64bit primary OS. Also I am using Windows XP on virtual PC. When I try to connect VPN through the XP. I got the below error VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.
Pls help me to fix this.
To get this to work you'll probably want the latest AnyConnect client, and you'll need to modify the AnyConnectProfile.tmpl file. The file can be found on your machine (once the client is installed). It's an XML-based file, and contains a setting called 'WindowsVPNEstablishment'. Modify the setting to say 'AllowRemoteUsers' instead of 'LocalUsersOnly'.
You may be able to save the file and connect without a problem. However, I had to push the modified template from the ASA to the client to get it working properly.
When you've modified the AnyConnectProfile.tmpl with the necessary changes, upload that modified file to the ASA using the CLI (tftp) or ASDM. A good place is just "disk0:/AnyConnectProfile.tmpl".
In the webvpn config mode, create a new profile using that file:
ciscoasa(config-webvpn)# svc profiles MY-PROFILE disk0:/AnyConnectProfile.tmpl
Next, you'll need to associate this profile on either a per-group or per-user basis, or both:
ciscoasa(config)# username testuser attributes ciscoasa(config-username-attributes)# webvpn ciscoasa(config-username-webvpn)# svc profiles value MY-PROFILE *OR* ciscoasa(config)# group-policy my-vpn-group attributes ciscoasa(config-group-attributes)# webvpn ciscoasa(config-group-webvpn)# svc profiles value MY-PROFILE
The next time you connect with the AnyConnect VPN client, the new profile should be downloaded and applied immediately. The changes you made to AllowRemoteUsers should allow you to connect via your RDP session without error.
Thanks for your answer.I forgot to mension that I am using cisco anytime web client. So each time when I connect using IE URL. It will download any connect.
Where the file will be stored ?
I'm not sure where the file is stored, but you can just search for it on your machine and it should be there after the client has been installed the first time. If the client is being installed every time you hit the URL in the browser, your best bet is to push the modified template out to the clients upon connecting, as I described in my original reply.
If your using the version 3 of the client, I don't think the
AnyConnectProfile.tmpl file exists anymore, heres how I solved the problem with version 3,
I actually tried your suggestion to no avail. I am still looking for a fix. I am using ASA version 8.4(7)26 and Cisco AnyConnect anyconnect-win-3.1.10010-k9.pkg
132 -rwx 2137 23:52:56 Sep 23 2014 RA-SSL-Profile.xml
group-policy AnyConnect-GROUP internal
group-policy AnyConnect-GROUP attributes
dns-server value x.x.x.x
vpn-filter value VPN_RESTRICT
split-tunnel-network-list value VPN_Split_Tunnel
anyconnect modules value dart
anyconnect profiles value RA-SSL-Profile type user
I take this back. It is working. I am not sure why I coudln't get it to work in the past or if I changed anything in the config between then. in any case, it is working.