VPN establishment capability from a remote desktop is disabled

Juraj22
Comes here often

VPN establishment capability from a remote desktop is disabled

Hello, maybe someone can help me in this very strange case.

We have situation, where we need to connect via RDP to Win10 PC station and then from this PC via AnyConnect VPN to MX64 device. But it is not working, there is some error like: VPN establishment capability from a remote desktop is disabled.

If we are going directly from win10 pc to MX device, everything works fine.

I have read some articiles about VPN profile editor, so i have changed <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> in profile.xml section, but without success.

Can somebody help with this solution?

Thanks a lot.

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

You are right that you need the "AllowRemoteUsers" option.  I'm thinking the change has not taken correctly.  Perhaps double check the XML syntax in the profile to make sure it is well formed.  Note that you often need to restart the AnyConnect service after making a profile change to make it re-read it.

KirkD
Just browsing

I am having the same issue while using RDP. I have tried both modifying the XML manually and and using the Cisco profile editor that is downloadable off the Meraki Anyconnect page in the dashboard. Same results and yes I am restarting the AnyConnect client service. Anyone able to get this to work? Really need to ba able to do this from a PC on one client and a terminal server on another.

PhilipDAth
Kind of a big deal
Kind of a big deal

Setting the "AllowRemoteUsers" property definitely works.  Perhaps double-check the profile directory and make sure you don't have an additional profile turning it back off again.

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

 

KirkD
Just browsing

PhilipDAth, If this is working for you can you post the exact syntax you are using in your profile and the version of client you are using? I have checked both the Windows 10 and 11 pc's I am testing on and the only copy of it is in the profile directory. Mine reads <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

 

The client I am running is 4.10 downloaded from the Meraki Dashboard.

Hezinuk
Conversationalist

Hi, did we confirm a fix for this, I have the same issue despite allowing it in the profile? 

abdunin
Conversationalist

Confirming this is still an issue. Tried the profile workaround which did not work.

 

Finding some things online that this is a server setting. Any progress from anyone else on this thread?

KirkD
Just browsing

I was not able to get it to work either. I opened a case with Meraki and sent them my config files and they said my files worked for them. I tried my files on more than one MX and more than one PC using RDP with no success.I was then told I would need to open a case with Cisco support for AnyConnect and have them look into it. I do not have the extra time to do this.

chrisbetts
Conversationalist

This worked for me:

-created a profile with the editor and copied it to %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

-connected to the vpn while logged into the console/local user

-disconnected/quit anyconnect

-on the MX under AnyConnect Settings changed the Profile Update to enabled and uploaded the profile I created in step 1

-re-opened anyconnect while connected over RDP

-reconnected... works

Nobara
New here

For anyone still experiencing this issue I was only able to resolve this by pushing the profile from the meraki portal into the client.

Nobara_0-1728479888963.png

it was the exact same profile but for some reason it would only take when the profile was loaded into the meraki portal profile update settings and then the client was connected and grabbed that profile. every other method I tried of loading this in the client itself did not work.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels