This error typically occurs when trying to connect to a VPN using Cisco AnyConnect or Secure Client over Remote Desktop Protocol (RDP). The error message is:
“VPN establishment capability for a remote user is disabled. A VPN connection will not be established.”
This issue is most often caused by a VPN policy setting that restricts access when connecting through RDP. Below, we answer the most common questions about this error and how to fix it.
What causes the “VPN establishment from a remote user disabled” error?
The root cause is a policy setting in the Cisco VPN profile that disallows VPN establishment over RDP. This is controlled by the Windows VPN Establishment setting in the profile XML.
- “AllowRemoteUsers” must be enabled in the VPN configuration.
- If it is set to “LocalUsersOnly”, connections initiated through RDP will be blocked.
- Many organizations set this restriction to prevent VPN chaining or potential misuse from unmanaged remote sessions.
How do I fix the VPN establishment from a remote user disabled error?
To resolve this issue, you’ll need access to the Cisco AnyConnect or Secure Client profile editor. Here’s how to update the profile:
Step-by-step:
- Locate the profile file:
- Usually found in:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\
- Usually found in:
- Open the XML file in a text editor like Notepad or VS Code.
- Find this line: xmlنسختحرير
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> - Change it to: xmlنسختحرير
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> - Save the file and restart the Cisco VPN client.
⚠️ Note: Editing profiles may require admin access and approval from your IT team.
If you’re using an enterprise-managed environment, contact your VPN administrator. They may need to update the XML on the central ASA or Secure Client Management platform.
Is it safe to allow VPN connections from remote users?
Allowing VPN establishment from remote desktop users introduces some risks:
Pros:
- Enables support staff or remote users to connect securely without being on-site.
- Useful in virtual environments or cloud-based remote desktops.
Cons:
- May allow VPN over VPN scenarios (nested tunnels), complicating network routing.
- Higher risk if the RDP session is not secure or uses a public endpoint.
If you allow remote VPN connections, ensure the following:
- Use strong RDP encryption.
- Disable clipboard and drive sharing in RDP.
- Monitor VPN session logs for unusual behavior.
To understand more about VPN layering and alternatives, check out this guide on is ascaler vpn also a proxy server for deeper insight into protocol differences.
Can I use a VPN over RDP safely?
Yes, but best practices must be followed. Here’s how to secure your setup:
- Always connect RDP over a VPN, not vice versa, when possible.
- Enforce MFA (Multi-Factor Authentication) for VPN access.
- Keep your VPN client up to date to avoid exploitable vulnerabilities.
- Avoid using VPN over public Wi-Fi unless secured by corporate policies.
Are there alternatives if I can’t modify the VPN profile?
If you don’t have access to change the VPN settings, try these alternatives:
- Use a local machine instead of RDP to initiate the VPN.
- Request an updated profile from your IT administrator.
- Switch to a VPN that supports remote sessions natively, such as those mentioned in the NordVPN review or Surfshark review.
For a broader understanding of multi-tunnel systems, read about what is a VPN concentrator and how it helps centralize access securely.
What if I see the error even after editing the profile?
Here are additional troubleshooting steps:
- Clear cache or reinstall the Cisco client to ensure it reads the new profile.
- Check for duplicate profiles—Cisco Secure Client may prioritize the wrong one.
- Ensure no endpoint protection (like Cisco Umbrella) is blocking the VPN behavior.
- Verify that your RDP session isn’t nested (e.g., RDP inside RDP), which can cause profile bypass.
You may also want to test with a local profile and a clean boot. If VPN fails only during remote control sessions, it confirms the issue is tied to the establishment policy.
Does this affect other VPN clients or just Cisco?
The error message specifically refers to Cisco Secure Client (formerly AnyConnect). However, similar restrictions can apply in other enterprise VPN setups:
- Pulse Secure and GlobalProtect have comparable local-only policies.
- Open-source clients like OpenVPN don’t typically enforce this unless set up manually.
If you’re comparing client behaviors, see how leading services stack up in AirVPN vs NordVPN for both speed and control.
Can I use this setup to unblock geo-restricted services remotely?
Once your VPN is enabled—even through RDP—you can access content behind firewalls or in other regions. This is helpful if:
- You want to access apps like ChatGPT from a restricted network (what location to put VPN for unrestricted Chat GPT)
- You’re using torrent clients like qBittorrent and want to bind them to VPN
Just remember that your VPN session will inherit the network settings of the remote desktop, which may reduce speed or add latency.
Conclusion: Should you allow VPN establishment from remote users?
In many cases, yes—but only if it meets your security policy.
The error “why is my vpn establishment from a remote user disabled” is a common configuration oversight. If remote access is part of your workflow, updating the WindowsVPNEstablishment parameter to AllowRemoteUsers is usually a safe and effective fix when paired with standard RDP protections.
For more privacy tips and unusual VPN fixes, explore issues like why does weave not work when VPN is on or is DNSCrypt an alternative to VPN.
Always test changes in a sandbox or dev environment before pushing to production.
