Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Is the DefaultPolicyGroup for L2L activated by default??

Hi all,

I configured L2L connection using ASA 5520 & 5505 with the basic commands on both ends at everything worked correctly (ACL configuration lines were omitted).

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key abcd

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

isakmp enable outside

isakmp identity address

crypto ipsec transform-set myset esp-aes-192 esp-sha-hmac

crypto map newmap 10 match address 100

crypto map newmap 10 set peer

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

I would like to know if the Default Policy Group which is part of the General Attributes for the L2L connection is activated by Default (see below from Cisco Web Page) when you configure this type of connection even though I did not explicitly configure it.

Default LAN-to-LAN Tunnel Group Configuration

The contents of the default LAN-to-LAN tunnel group are as follows:

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

 no accounting-server-group
  default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

 no pre-shared-key

 peer-id-validate req

 no chain

 no trust-point

 isakmp keepalive threshold 10 retry 2

I also found that you need to activate the Default Policy Group if you want it to be used (see below from Cisco), but as I mentioned before, when you use L2L configuration apparently it is operative by default. Please confirm it.

Default Group Policy

The security appliance supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named "DfltGrpPolicy", always exists on the security appliance, but this default group policy does not take effect unless you configure the security appliance to use it.To view the default group policy, enter the following command:

hostname(config)# show running-config all group-policy DfltGrpPolicy

To configure the default group policy, enter the following command:

hostname(config)# group-policy DfltGrpPolicy internal

Recently, I had one problem because the Default Policy Group was activated and configured on 1 side of the connection and I lost the L2L Tunnel connection. I am assuming that when you configure L2L connections, THE GENERAL ATTRIBUTE = DEFAULT GROUP POLICY is automatically activated even though you did not configure it previously. Only when I configure the following command in the Default Group Policy, I could recover the connectivity:

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 2
vpn-idle-timeout none
vpn-tunnel-protocol IPSEC svc webvpn

Thank you in advance for your comments with respect to the Default Group Policy operation for L2L connections.

Everyone's tags (4)