Troubleshoot Secure Access Error "VPN Establishment Capability for a Remote User Is Disabled. A VPN Connection Will Not Be Established"

Available Languages

Download Options

  • PDF     (562.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (637.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (470.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 3, 2023
Document ID:221175

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to resolve error:  "VPN establishment capability for a remote user is disabled. A VPN connection will not be established."

    Problem

    When a user tries to connect with RA-VPN (Remote Access VPN) to the Secure Access headend, the error is printed in the Cisco Secure Client notification popup:

    • VPN establishment capability for a remote user is disabled. A VPN connection will not be established.
    • Cisco Secure Client was not able to establish a connection to the specified secure gateway. Please try connecting again.

    Cisco Secure Client - Problem connecting to Cisco Secure AccessCisco Secure Client - Problem connecting to Cisco Secure Access

    The mentioned error is generated, when the user is connected via the RDP to the Windows PC, tries to connect to RA-VPN from the given PC, and WindowsVPN Establishment is set to Local Users Only (default option).

    Windows VPN Establishment determines the behavior of the Cisco Secure Client when a user who is remotely logged on to the client PC establishes a VPN connection. The possible values are:

    • Local Users Only 

    Prevents a remotely logged-on (RDP) user from establishing a VPN connection.

    • Allow Remote Users

    Allows remote users to establish a VPN connection. However, if the configured VPN connection routing causes the remote user to become disconnected, the VPN connection terminates to allow the remote user to regain access to the clients PC. Remote users must wait 90 seconds after VPN establishment if they want to disconnect their remote login session without causing the VPN connection to be terminated.

    Solution

    Navigate to Cisco Secure Access Dashboard.

    • Click on Connect > End User Connectivity 
    • Click on Virtual Private Network
    • Choose the profile that you want to modify and click Edit 

    Cisco Secure Access - RA-VPNCisco Secure Access - RA-VPN

    Click on Cisco Secure Client Configuration > Client Settings > Edit

    Cisco Secure Access - RA-PVN Client ConfigurationCisco Secure Access - RA-PVN Client Configuration

    Click on Administrator Settigns and modify Windows VPN Establishment from Local User Only to All Remote Users

    Cisco Secure Access - Windows Windows VPN EstablishmentCisco Secure Access - Windows Windows VPN Establishment

    And click on Save

    Cisco Secure Access - Windows Windows VPN Establishment 2Cisco Secure Access - Windows Windows VPN Establishment 2

    When you establish the RA-VPN session from the remote Windows PC, you must configure the Tunnel Mode as Bypass Secure Access. Otherwise, you risk losing access to the remote Windows PC.

    Cisco Secure Access - Tunnel ModeCisco Secure Access - Tunnel Mode

    For more information about Tunnel Mode check the next article item number 6:

    https://docs.sse.cisco.com/sse-user-guide/docs/add-vpn-profiles

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    03-Nov-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jairo Andres Moreno Ciro
      TAC
    • Fuad Al Asouli
      TAC
    • Wojciech Brzyszcz
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products