Tuesday, March 29, 2011

Cisco Anyconnect: VPN Establishment capability from a Remote Desktop is disabled - wordaround

Symptom: When you try to connect to a VPN using Cisco AnyConnect VPN Client from a machine you're connected to with Remote Desktop, you get an error message saying 'VPN Establishment capability from a Remote Desktop is disabled. A VPN Connection will not be established.'

Workaround: A fairly easy workaround would be to use an alternative connection program (like TeamViewer) while establishing the tunnel. Once connected, you can connect back with Remote Desktop.

In a nutshell, the steps are the following:

  1. Install TeamViewer Full version in Service Mode
  2. Reboot the computer or manually start the Service
  3. Start TeamViewer, note the ID and Password
  4. Install TeamViewer Full or Portable on your local machine
  5. Disconnect the RDP Session and Connect via TeamViewer (or vice versa, doesn't matter)
  6. Connect to AnyConnect
  7. Disconnect with Teamviewer. Connect back with Remote Desktop.

The steps are detailed below.

1.  Your're connected to the machine with Remote Desktop. Now you need to Download and Install TeamViewer Full Version. The program is free for home use only so use accordingly. Unfortunately, installation is obligatory, TeamViewer QS won't work once the RDP session is disconnected.


A direct link to TeamViewer: http://www.teamviewer.com/download/TeamViewer_Setup.exe
Alternately, you can visit TeamViewer's website and go to the Download page.

Install TeamViewer following the wizard. It's basically a next-next-next procedure, but you do need to install it as a service (choose Yes at the 4th step).

Once installed, start TeamViewer and follow the configuration wizard. You have to set a password but don't need to create a TeamViewer account.


2. Once you finish the wizard, you should see the TeamViewer icon at the System Tray. If there's no icon there, you misconfigured something. Due to a bug in TeamViewer you need to restart the computer (A). You can also try manually start the service (B). If you will not be able to connect with TeamViewer, you still need to reboot the computer.

2. A. To reboot the computer, click on the empty start menu bar to bring it to focus.

Now hit Alt + F4 and choose Restart.

2. B. You can also try to manually start the TeamViewer Service. Go to Start -> Run and type services.msc.

Find the TeamViewer service, right-click and choose Start.


3. Once the machine is rebooted or the service is started open up TeamViewer and note the ID. You will have to use your predefined password and not the randomly generated one (TeamViewer bug).


4. On your computer you need to download TeamViewer Full version or the Portable one. I'll go with Portable because it does not require installation. The direct link to the portable version is: http://www.teamviewer.com/download/TeamViewerPortable.zip but it can also be found on TeamViewer's Download page.

5. Extract and Start TeamViewer and enter the previously noted ID and the predefined password to connect.

Once you're connected with TeamViewer, close the remote desktop session. This step is important because while the RDP session is open, AnyConnect will not let you to connect. (Do not log off, just disconnect the session with the red X).

6. Now connect to the VPN with Cisco AnyConnect.

7. Once you're connected to the VPN Tunnel you can disconnect from TeamViewer and connect back with Remote Desktop.








15 comments:

  1. Hey, I tried this out on the latest version of TeamViewer but it fails to load correctly. I keep getting an error for fast user switching. I installed everything, but keep getting the same error.

    ReplyDelete
  2. Thanks for your feedback, I will test with the latest version of TeamViewer.
    Meanwhile please make sure you're not using Teamviewer QS but the full version. The Quick Support version will not work in this scenario.

    ReplyDelete
  3. Forgot to mention, you also need to restart the machine after installing TeamViewer in order for the necessary services to start.

    ReplyDelete
  4. Thanks for this post and for including screenshots. So few step-by-step guides include them and they can be very helpful for people who understand things better visually.--http://www.proxynetworks.com

    ReplyDelete
  5. You can solve this problem by creating a VPN profile

    http://www.petenetlive.com/KB/Article/0000546.htm

    ReplyDelete
  6. @Pete ... only if you have access to your VPN server's configuration. If you don't then you need to have this type of workaround.

    ReplyDelete
  7. This is another solution: Use AutoIt to create a script that logs you in with Cisco Anyconnect 10 seconds after you kick it off. Then you RDP into your machine, kick off the script, close the RDP session, wait 20 seconds, then RDP back in.

    ReplyDelete
    Replies
    1. AutoIt seems to be a very good idea. Can you post the script please?

      Delete
    2. @levidos Just need to enter your path to the VPN exe file and add your credentials. Note, this will most likely only work with Cisco clients 2.0.x
      ----------------------------------
      Run("C:\\.exe")
      WinWaitActive("Cisco AnyConnect VPN Client")

      Sleep(5000)
      ControlSetText("Cisco AnyConnect VPN Client", "", "[CLASS:Edit; INSTANCE:2]", "")
      ControlSetText("Cisco AnyConnect VPN Client", "", "[CLASS:Edit; INSTANCE:3]", "")

      Sleep(5000)
      ControlClick("Cisco AnyConnect VPN Client", "Connect", 1016)

      Delete
  8. Hi,

    I am not sure how you will be able to RDP the machine back once VPN has started. Once VPN starts all traffic will be redirected and then you will not be abe to RDP anymore (IP adress will change and them RDP won't be possible anymore)

    Thanks

    ReplyDelete
  9. @BOUBOU The VPN creates a tunnel for specific data to go down a specific path based on the destination for the data. If data doesn't have to go down that path then it can go out the non-VPN path. This is how you can still communicate with your internal PCs in your house even though you are connected to your company VPN. The same is true whether you are talking inbound or outbound. So, RDP will still work.

    Keep in mind that when you connect to a website using HTTPS, you are still making a VPN connection (it's a secure path) but only to the servers that represent that website. Your computer is still capable of talking to other websites, news servers, mail servers, IM clients, etc.

    ReplyDelete
    Replies
    1. The technical reason for why it works BOUBOU is because when the VPN is established a virtual tunnel interface is created with another IP. Your existing physical (whether wired or wireless) interface still has the same IP, which is why you can still communicate inbound/outbound with other hosts on the non-VPN. It's no different than having 2 physical interfaces other than the interfaced used for the VPN being virtual.

      When connecting to an HTTPS website, a virtual network interface isn't created but your computer still effectively creates an encrypted tunnel to just that one site so it can still be considered a VPN.

      Delete
  10. Tried this but the VPN service, once started, restricts any network connection, channeling all traffic through the tunnel... meaning no separate network access. The minute you connect to your vpn the teamviewer connection is terminated.

    I have used company vpns and never been able to use local network resources as they are cut off. Interesting how this is supposed to work.

    ReplyDelete
    Replies
    1. In that case there's not much to do. Anyway, this post is very old.

      Delete
  11. @JM -- I was in the same scenario as you. However, I was able to overcome this restriction very easily -- actually *using* that little-known thing called IPv6.

    You can use any remote connection program of your choice (other than RDP -- personally, I prefer RealVNC), or the AutoIt solution mentioned earlier in the comments, then simply note your system's IPv6 address and connect through RDP that way. Just be sure to NOT include the zone index (% and numbers at the end of the address as displayed by ipconfig) when you connect -- RDP won't like that.

    This method is quite foolproof, at least unless your system administrator prevents you from modifying adapter settings (which, quite frankly, if they do that, you probably wouldn't have any administrative control over your computer whatsoever). Even if the admin tries to setup up the connection so that it re-routes IPv6 traffic, you can overcome this simply by disabling the IPv6 functionality on the AnyConnect adapter (AnyConnect makes its own adapter when it installs). This can be done per the standard network adapter properties page in Windows. With IPv6 disabled on the AnyConnect adapter, there will be nothing to stop you from connecting to your remote machine through its IPv6 address.



    ReplyDelete