When using Cisco Anyconnect Secure Mobility Client for establishing VPN connections, one might see such frustrating error message:
Cisco Anyconnect Download
The Linux, Windows and macOS versions of the AnyConnect Secure Mobility Client are affected if both the Auto Update and Enable Scripting settings are enabled. The latter is disabled by default. “An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener.
AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established.
or this one:
If you are trying to to use Cisco AnyConnect through a Windows Virtual PC and receiving the following message. VPN establishment capability from remote desktop is disabled. A VPN connection will not be established. This is what I did to get it functional. Go to your virtual machines and edit the Settings. Use just a user name and password. Have tried other users that work on other laptops but get the same result. Disabled security and looked for 3rd party apps that might interfere. Looking at my notes it had the Cisco Network Access Manager installed by mistake but was uninstalled before it was deployed to the user.
VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.
Cisco Anyconnect Remote User Disabled Account
Cisco’s documentation mention these limitations are specified in a profile XML file which is downloaded from the VPN server during the connection establishment.
Using SysInternal’s Process Monitor, it is possible to detect that this file is downloaded to the following path:
%programdata%CiscoCisco AnyConnect Secure Mobility ClientProfile[some name].xml
It turns out the file is downloaded by the Anyconnect Secure Mobility Client (vpngui.exe) and then analyzed. In order to bypass the restrictions imposed in the file, it is enough to use a simple application that monitors changes to that specific file and immediately replaces it with another file (where the restrictions are not present).
The two restrictions related to the error messages above are specified in the following nodes of the file:
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
A copy of the current profile XML file could be made where the nodes above are commented out. Then the aforementioned application will overwrite the downloaded XML file with the “custom” version. A sample source code for such application follows (C#):
Note: it might be necessary to run the application with elevated privileges.