"Remote user is disabled" for headless Cisco AnyConnect client
By Michael Henderson •
On a linux machine we are trying to establish a VPN connection using Cisco AnyConnect version anyconnect-linux64-4.10.05085-predeploy-k9 like this:
printf '<user>\n<password>\ny' | /opt/cisco/anyconnect/bin/vpn -s connect <host>We get this error:
>> state: Connecting >> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
The AnyConnect Downloader updates have been completed. >> notice: The AnyConnect Downloader is performing update checks... >> notice: Checking for profile updates... >> notice: Checking for customization updates... >> notice: Performing any required updates... >> notice: The AnyConnect Downloader updates have been completed.
Please wait while the VPN connection is established... >> state: Connecting >> notice: Establishing VPN session... >> notice: Establishing VPN - Initiating connection... >> state: Disconnecting >> notice: Disconnect in progress, please wait... >> error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established. >> state: DisconnectedBased on comments on the internet we tried adding a profile file /opt/cisco/anyconnect/profile/Profile.xml with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="" xmlns:xsi="" xsi:schemaLocation=" AnyConnectProfile.xsd"> <ClientInitialization> <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment> </ClientInitialization>
</AnyConnectProfile>but to no avail.
What's the correct way to allow VPN connections for remote users?
1 Answer
So it turns out the AllowRemoteUser setting has to be done on the server side, not the client.
Adding
<LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>in some .xml file on the VPN Server made the error go away.
It'd be interesting to know
- why AnyConnect distinguishes between Windows and Linux clients in the first place
- why connections made from a macOS client via the AnyConnct macOS binary did work - are they treated as Windows / not restricted at all?
