Hi,

I think you have probably configured the "object-group service " without defining the protocol used

For example

ASA(config)# object-group service TEST

ASA(config-service-object-group)# ?

  description          Specify description text

  group-object        Configure an object group as an object

  help                    Help for service object-group configuration commands

  no                       Remove an object or description from object-group

  service-object       Configure a service object

ASA(config-service-object-group)#

However if we specify the "object-group service " with either "tcp" or "udp" or "tcp-udp" at the end then you will have the option of "port-object" command

ASA(config)# object-group service TEST tcp-udp

ASA(config-service-object-group)# ?

  description    Specify description text

  group-object  Configure an object group as an object

  help              Help for service object-group configuration commands

  no                 Remove an object or description from object-group

  port-object     Configure a port object

ASA(config-service-object-group)#

Though even if you used the original "object-group service " configuration you could still define it as an "object-group" which for example contains the allowed destination ports in some ACL.

For example the following would group TCP/17800 and UDP/17800 in one "object-group" and use them in an ACL

object-group service TEST

service-object tcp destination eq 17800

service-object udp destination eq 17800

access-list TEST extended permit object-group TEST any any

When we look how the actual ACL looks like we see the following

ASA(config)# show access-list TEST

access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit object-group TEST any any (hitcnt=0) 0x0abc0954

  access-list TEST line 1 extended permit tcp any any eq 17800 (hitcnt=0) 0x25ac5419

  access-list TEST line 1 extended permit udp any any eq 17800 (hitcnt=0) 0xc6e32e33

Hope this helps

- Jouni