Gilbert,

Thanks a lot!!! This document definitely solved my issue.

I appreciate your help.

Best regards,

Mauricio

Hi,

I tried it with ASA 7.2.2 with some changes (because some commands was changed) and it works good.

Then I tried it with a special group like TESTGROUP instead of DefaultRAGroup but with same parameters and I get the following error message:

Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, ab

orting...!

Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!

Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Mar 15 23:45:24 [IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

What?s going wrong?

Regards

Helmut

Hi,

A dynamic tunnel will never land on a separately created group.

It would be either a DefaultRAGroup or a DEfaulL2LGroup, depending on how the remote side initiate the connection.

If it intitiates the connection in Aggressive mode, the connection will land on DefaultRAGroup and if it initiates the connection in Main mode, it will land on DefaulL2LGroup.

But never on a spearately created group.

*Please rate if helped.

-Kanishka

Helmut,

When the tunnel from the remote side is trying to get initiated, the ASA looks through the tunnel-group and finds the IP address that matches with the peer IP address. So, if you create a group called as TESTGROUP, it is not going to match on that.

With 7.x version of code, you will not be able to make a LAN to LAN (static) land on a named tunnel-group.

Since you do not know what the IP address of the remote guy is, it is best to let the tunnel land on the DefaultL2LGroup.

Rate this post, if it helps!

Cheers

Gilbert