US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43

Conflicting protocols specified by tunnel-group and group-policy

Conflicting protocols specified by tunnel-group and group-policy



It is my pleasure to write about conflicting protocols in post for the Troubleshooting and FAQ section of our Grandmetric blog. In this category we will publish bugs/issues, problem descriptions, handy troubleshooting techniques as well as answers for interesting questions. As network contractors and trainers, we have come across dozens of interesting problems that have been faced by our customers. We would like to share our experience in dealing with those problems and discuss with our readers their solutions.

Here is the first one.

Especially in Cisco ASA 9.X OS where IKEv2 protocol is present, you may face the VPN Site to Site (S2S) IKEv1 (legacy ISAKMP) tunnel failing to establish. But the configuration looks good at first glance! You may be getting following error:

%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. 

Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

After looking at above logs for a while one can realize that there is something configured with a default group-policy, because we do not use custom group for that tunnel.

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

The problem is related to lack of IKEv1 protocols enablement under group-policy DfltGrpPolicy. This is specified (and actually is not in this case) under vpn-tunnel-protocol section.

Resolution: Enable IKEv1 under the DfltGrpPolicy -> vpn-tunnel-protocol section:

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless

And of course don’t forget to check if it is working now:

GPD01-FW01-01# sh cry isa sa
IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: X.X.X.X
Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE

And SA’s:

GPD01-FW01-01# sh cry ipse sa
interface: outside
Crypto map tag: TRE_CRYPTO_MAP, seq num: 10, local addr: X.X.X.X

access-list XXXXXXXXXXXXX extended permit ip
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer: X.X.X.X

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9


Marcin Bialy

Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

1 Comment
11 September 2017 at 20:11

Huge help! Thanks for the insight on this.



Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!