FIX: VPN establishment from a remote desktop is disabled

Elena Constantinescu
by Elena Constantinescu
VPN Expert & Privacy Advocate
0 Comments
Download PDF
Affiliate Disclosure

  • The "VPN establishment capability from a remote desktop is disabled" error message prevents you from remotely connecting to the workplace using Cisco VPN.
  • Use AnyConnect Profile Editor to fix this error, which is built into the ASDM. Discover the exact steps to enable VPN establishment capability on Remote Desktop.
  • Head over to our Cisco section to check out more awesome how-to guides.
  • Visit our VPN Troubleshooting Hub to fix other VPN errors easily.
fix VPN establishment capability from a remote desktop is disabled

If you try to create a VPN connection using Cisco VPN, you might get the VPN establishment from a remote desktop is disabled error message on your screen. However, you can quickly and easily fix it by following our set of instructions below.

Those who use early versions of AnyConnect 4 might not see this error. Instead, Cisco connects and then immediately disconnects, which should be a sign that something’s wrong.

Plus, if you have debugging mode activated, you might receive the Profile settings do not allow VPN initiation from a remote desktop message.

That’s why it’s important to update Cisco AnyConnect Secure Mobility Client to the latest version before proceeding with the following steps.

How do I enable VPN establishment capability on Remote Desktop?

enable Cisco Windows VPN Establishment

  1. Connect to the ADSM (Cisco Adaptive Security Device Manager).
  2. Go to Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
  3. Set a Profile Name and pick a Group Policy to apply it to.
  4. Click OK.
  5. Set Windows Logon Enforcement to SingleLocalLogon.
  6. Set Windows VPN Establishment to LocalUsersOnly*.
  7. Save the profile as an XML.
  8. Connect to the firewall’s ASDM.
  9. Go to Tools > File Management > File Transfer > Between Local PC and Flash.
  10. Select and upload the XML you previously created.
  11. Once the file is uploaded, click Close.
  12. Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies.
  13. Select your Group Policy for your AnyConnect clients.
  14. Head over to Edit > Advanced > SSL VPN Client.
  15. Find the Client Profile to Download section and uncheck the Inherit button.
  16. Click New > Browser Flash and locate the XML file.
  17. Save all settings and try to reconnect using AnyConnect Mobility Client.

*You can also use AllowRemoteUsers if the solution doesn’t work for LocalUsersOnly.

If you can’t access the VPN server settings, use a remote desktop solution like TeamViewer instead of RDP. Disconnect from the RDP, connect with TeamViewer and then to the VPN in remote session mode, disconnect from TeamViewer, and connect using RDP.

In conclusion, if you receive the VPN establishment capability from a remote desktop is disabled error message when trying to remotely connect to your office using Cisco VPN in RDP mode, just follow the steps above.