Troubleshoot Secure Access Error "The VPN Connection Was Started by a Remote Desktop User Whose Remote Console Has Been Disconnected"

Available Languages

Download Options

  • PDF     (438.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (559.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (542.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 27, 2024
Document ID:221733

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to fix the error: "The VPN connection was started by a remote desktop user whose remote console has been disconnected".

    Problem

    When a user tries to connect with RA-VPN (Remote Access VPN) to the Secure Access headend, the error is printed in the Cisco Secure Client notification popup:

    • The VPN connection was started by a remote desktop user whose remote console has been disconnected. It is presumed the VPN routing configuration is responsible for the remote console disconnect. The VPN connection has been disconnected to allow the remote console to connect again. A remote desktop user must wait 90 seconds after VPN establishment before disconnecting the remote console to avoid this condition.

    Secure Client - Error

    The mentioned error is generated when the user is connected via the RDP to the Windows PC, tries to connect to RA-VPN from the given PC, and Tunnel Mode in VPN Profile is set to Connect to Secure Access (default option) and source IP of the RDP connection is not added to Exceptions.

    For Traffic Steering (Split Tunnel), you can configure a VPN profile to maintain a full tunnel connection to Secure Access or configure the profile to use a split tunnel connection to direct traffic through the VPN only if necessary.

    1. For Tunnel Mode, choose either:
      • Connect to Secure Access to direct all traffic through the tunnel; or,
      • Bypass Secure Access to direct all traffic outside the tunnel.
    2. Depending on your selection, you can Add Exceptions to steer traffic inside or outside the tunnel. You can enter comma-separated IPs, domains, and network spaces.

    Solution

    Navigate to the Cisco Secure Access Dashboard:

    • Click on Connect > End User Connectivity 
    • Click on Virtual Private Network
    • Choose the profile that you want to modify and click Edit 

    Secure Access - RA VPN Policy

    • Click on Traffic Steering (Split Tunnel) > Add Exceptions > + Add 

    Secure Access - Traffic Steering

    • Add your IP address from which you established the RDP connection

    Secure Access - RA VPN Exclusion List

    • Click on Save In Add Destinations window

    Windows - Command Line

    note-icon

    Note: The IP address could be found from the output of cmd command netstat -an.; Note the IP address from which there is an established connection to the local IP address of the remote desktop to port 3389.

    • Click Next after adding the exception:

    Secure Access - Policy Edit

    • Click Save changes in the VPN profile:

    Secure Access - Policy Edit 2

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    27-Feb-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sergiy Kuzmin
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products