Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Connection profile tunnel group lock -- connection profile name


Hi Everyone,

I have config separate connection profile and tunnel group for our external vendor.

I gave him xml file and he is able to connect fine.

This ASA has 2 connection profiles one for vendor and one for our internal users.

I need to make sure that vendor does not connect to internal users connection profile.

As per my understanding he is unable to connect to internal user connection profile unless i give him xml file for internal users connection right??

If under group policies  of external vendor

connection profile tunnel group lock ---should i choose the vendor connection profile name from the drop down?

Currently it shows check mark --inherit.

We are using full tunnel and radius Auth for anyconnect.






Hi Mahesh, You have

Hi Mahesh,


You have configured Group lock, which restricts the users by verifying whether the profile configured in vpn client matches with the connection profile, where the user is authorized for..... if it doesn't matches ASA will block the connection.... if you remove it user is leveraged to connect to any profile.... ASA will authenticate the user irrespective of any assigned group.... this is an added security feature....




New Member

 Hi Karthik.So you mean that


Hi Karthik.

So you mean that if i config this feature then ASA will look at

c\programs data\----profile\xml file

Here ASA will look at xml profile and check the connection profile here and it has to match with

connection profile user is trying to connect right?