US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Conflicting protocols specified by tunnel-group and group-policy

    Conflicting protocols specified by tunnel-group and group-policy

    Date: 04.12.2016


    It is my pleasure to write about conflicting protocols in post for the Troubleshooting and FAQ section of our Grandmetric blog. In this category we will publish bugs/issues, problem descriptions, handy troubleshooting techniques as well as answers for interesting questions. As network contractors and trainers, we have come across dozens of interesting problems that have been faced by our customers. We would like to share our experience in dealing with those problems and discuss with our readers their solutions.

    Here is the first one.

    Especially in Cisco ASA 9.X OS where IKEv2 protocol is present, you may face the VPN Site to Site (S2S) IKEv1 (legacy ISAKMP) tunnel failing to establish. But the configuration looks good at first glance! You may be getting following error:

    %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.

    %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. 

    Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

    After looking at above logs for a while one can realize that there is something configured with a default group-policy, because we do not use custom group for that tunnel.

    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

    The problem is related to lack of IKEv1 protocols enablement under group-policy DfltGrpPolicy. This is specified (and actually is not in this case) under vpn-tunnel-protocol section.

    Resolution: Enable IKEv1 under the DfltGrpPolicy -> vpn-tunnel-protocol section:

    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless

    And of course don’t forget to check if it is working now:

    GPD01-FW01-01# sh cry isa sa
    IKEv1 SAs:

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: X.X.X.X
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

    And SA’s:

    GPD01-FW01-01# sh cry ipse sa
    interface: outside
    Crypto map tag: TRE_CRYPTO_MAP, seq num: 10, local addr: X.X.X.X

    access-list XXXXXXXXXXXXX extended permit ip
    local ident (addr/mask/prot/port): (
    remote ident (addr/mask/prot/port): (
    current_peer: X.X.X.X

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9


    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    11 September 2017 at 20:11

    Huge help! Thanks for the insight on this.


    11 December 2023 at 14:32

    Great help!
    I was getting mad setting up a VPN with AWS, your suggestion saved me! 🙂


    Marcin Bialy
    12 December 2023 at 13:11

    Glad to see was handy!


    Leave a Reply

    Your email address will not be published. Required fields are marked *