Cisco Anyconnect: Vpn establishment capability from a remote desktop is disabled
Solution 1
I've found a workaround for this problem when there is no access to VPN server settings:
- set up Teamviewer
- disconnect RDP
- connect via Teamviewer
- connect to VPN in remote session
- disconnect Teamviewer
- connect via RDP
- continue working as used to
Solution 2
It really depends on the version you are using, but nowadays this is done by creating an AnyConnect Client Profile
on the ASA itself.
By default the policy will be set to LocalUsersOnly
and you need to change it to AllowRemoteUsers
.
You'll need access to the ASA though (ASDM) in order to do this.
The steps would be:
- Log into the ASDM
- Go to Configuration, Remote Access VPN, Anyconnect Client Profile
- Click Add and create a new profile and choose the Group Policy it should apply to
- Click OK, and then at the Profile screen click "Apply" at the bottom (important)
- Now edit the profile, and you should see under the Preferences, Windows VPN Establishment you can select "AllowRemoteUsers" and hit OK
- Apply once more and then save/writemem
- That's it, RDP and try again
If you don't have access to the ASA, the best I can suggest is to use a different type of remote connection like VNC or Teamviewer as they will allow you to use the VPN.
Solution 3
Connect to your computer via RDP. Create connect.dat file as following, finishing it with extra empty line (must-have requirement, sic!):
connect your-VPN-server-here
your-username-here
your-password-here
Then create connect.cmd file as following
for /f "tokens=3 delims= " %%G in ('tasklist /FI "IMAGENAME eq tasklist.exe" /NH') do SET RDP_SESSION=%%G
Rundll32.exe user32.dll, LockWorkStation
tscon.exe %RDP_SESSION% /dest:console
"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s <connect.dat
Correct the path to vpncli.exe if necessary. Then terminate VPN UI process (it shouldn't be loaded into memory) and start our CMD file as a local admin.
If you don't mind, full note is here http://windowsasusual.blogspot.ru/2016/10/cisco-anyconnect-vpn-and-remote-desktop.html
Solution 4
I found a solution to make it work. My work laptop need to be connected to a vpn with cisco any connect . And I wanted to connect to my work laptop using remote desktop to have a better experience with my home PC mouse and keyboard and a bigger screen.
I had this error after the VPN was connecting: Vpn establishment capability from a remote desktop is disabled.
Start the VPN on the laptop first then use RDP
I could solve this issue by starting the VPN connection on my laptop first. Once the connection is established, I logged on with remote desktop on my laptod and its working!
Hope this helps
Solution 5
The fix for this issue is start the VPN session using the "Basic mode" (disabling the "Enhanced session" option). It worked for me. Look this post:
https://foxdeploy.com/2015/11/20/solved-cisco-anyconnect-session-ended-error/
Related videos on Youtube
Daniel Williams
Updated on September 18, 2022Comments
-
Daniel Williams over 1 year
I need to run Cisco AnnyConnect from a VM in a data center. When I run it I get this message:
Vpn establishment capability from a remote desktop is disabled
Can this be turned off? I saw some posts about it, but required downloading Cisco software with an account, which I do not have. The VPN software is from a client I work for.
-
Vadzim over 9 yearsRelated link joaodev.wordpress.com/2013/08/29/…
-
Ben McLean almost 8 yearsI have a Windows 10 Host and Windows 10 Hyper-V VM so that i can connect to customer VPN's without killing my connectivity. I find that i get this message if i use "Enhanced Session", so i turn that off, connect and turn it back on again and it works fine. Go Figure.
-
-
Daniel Williams almost 11 yearsNo, we don't own the VPN, our client does, and so it wont likely happen.
-
kralyk almost 11 yearsYou need to VPN in to the client's network from your VM or from their VM to your network? I'm guessing the former since you said they own the VPN, but still a little lost on that part. Regardless, since it's a VM maybe you can gain access to the console through the vmware client or hyper-v manager and log in on the "console". That would work as well. Other than that...you might simply be out of luck (again short of vnc/teamviewer/logmein/etc.)
-
Medinoc over 9 yearsWhat does ASA mean, and is it available when one simply downloads "Cisco AnyConnect Secure Mobility Client" from a remote VPN's web portal? I don't see anything called "ADSM" on my Start Menu...
-
Medinoc over 9 yearsI see the Cisco website proposes a demo download of ASDM. Does anyone know whether the demo supports this feature?
-
zligg over 8 yearssplashtop also work. NOTE: once VPN connection kicks in, it may drop the splashtop connection
-
Ryan Griffith over 8 yearsBest answer IMO for solving the issue in the shortest amount of steps.
-
Ocelot20 over 7 yearsI was after the same work/home setup you were, and didn't think to try this. It works perfectly though. Thanks.
-
Vadzim over 7 yearsIf VNP connection interrupts on holidays this wouldn't help until you move to the workplace.
-
Cory Knutson almost 7 yearsWelcome to ServerFault! Answers need to be able to stand alone. Please include relevant information in your post.
-
ForNeVeR over 6 yearsThat's for Hyper-V only, and not for the case when you actually use RDP.
-
André M. Faria about 5 yearsVadzim opened up my eyes to see what was the problem, acessed my support VM via console and now I could access the VPN, great!
-
jspinella over 2 yearsThis wouldn't work if split tunneling isn't enabled and my employer's AnyConnect VPN server doesn't seem to allow that to be set on the client.
-
lovestackh343 about 2 years
connect.dat
also must have an absolute path e.g.: "C:\Users\yourname\Desktop\connect.dat".connect.dat
can add other commands likey/n
(yes/no).connect.cmd
add to last linepause
to debug. to disconnect vpnvpncli.exe disconnect
.connect.cmd
should run as admin.