LAN with dynamic connection DefaultL2LGroup or DefaultRAGroup?

Unanswered Question
Apr 9th, 2007


First of all, I'm not quite sure if the tunnel-group for a LAN with dynamic connection (ADSL) is DefaultL2LGroup or DefaultRAGroup.

After upgrading the 515-E to 7.2(2), the VPN L2L link between the 515-E in the hub office and the 1841 router in branch stopped working for some reason. I'm still picking up on the 7.2 commands so I don't know if some of the commands were not properly converted or I've changed something in the configuration.

I would be grateful if someone could look at the attached config and advise what to do.

Thanks, Archie

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
ggilbert Mon, 04/09/2007 - 10:25


If the remote side is initiating a connection in Aggressive mode (like remote EzVpn etc..), then it will land on Default RA Group. If it is initiating the connection on Main mode, it will land on DefaultL2Lgroup.

So, since you said its a L2L tunnel, then if the remote address should be initiating the connection on Main mode.

Make sure the pre-shared key matches on the DefaultL2LGroup with the remote side.

The configs looks ok.

If it doesnt work, please run the following debugs

deb cry isa 129

deb cry ipsec 129

on the ASA and post it.

Rate this post, if it helps.



agcastle2000 Tue, 04/10/2007 - 01:58

Hi Gilbert,

Thanks for your response. I issued the debug statements that you suggested and the connection is landing on DefaultRAGroup. However, someone from the forum suggested to add the one line command below and it started working. Unfortunately, it's nowhere can be found from Cisco configuration examples or from any of the documentations.

tunnel-group-map default-group DefaultL2LGroup

Also, thanks for letting me know about Aggressive and Main modes.




This Discussion