In the below...

tunnel-group COMPANY_WORKERS type remote-access
tunnel-group COMPANY_WORKERS general-attributes
default-group-policy ABCD_VPN
tunnel-group COMPANY_WORKERS webvpn-attributes

---

is "default-group-policy ABCD_VPN" the actual default group policy, or is it just a specific policy named "default-group-policy", because my understanding is that the actual default group policy is named "DfltGrpPolicy"?

@jmaxwellUSAF in your example, the group-policy is called ABCD_VPN and is applied to the tunnel-group COMPANY_WORKERS, users connecting to this tunnel-group would therefore receive the settings defined in this policy.

If a tunnel-group does not explictly reference a group-policy, then all settings would be inherited from the default group-policy, which is called DfltGrpPolicy.

May you please provide a simplest example of code that would change the actual default group policy? (I am seeking the basic commands and syntax, especially if you are using a command "default-group-policy")

Thank you.

@jmaxwellUSAF the DfltGrpPolicy is hidden by default, use "show run all group-policy DfltGrpPolicy" to determine all the default settings.

show running-config all group-policy DfltGrpPolicy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
security-group-tag none
periodic-authentication certificate none
no vpn-simultaneous-login-delete-no-delay
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have non
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting

So without specifying a group-policy under the tunnel-group the user would inherit the above settings

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/vpn/asa-917-vpn-config/vpn-groups.html

Hi.

I am not writing new code, I am debugging old code that I did not write. The config is very messy and maybe wrong.

I am trying to figure out if, in the below...

tunnel-group COMPANY_WORKERS type remote-access
tunnel-group COMPANY_WORKERS general-attributes
default-group-policy ABCD_VPN
tunnel-group COMPANY_WORKERS webvpn-attributes

If the line "default-group-policy ABCD_VPN" is actually a specific policy, or if it refers to the actual logical default group policy. 

Is "default-group-policy ABCD_VPN" a reference to a specific policy, or the actual default group policy?

@jmaxwellUSAF  this ABCD_VPN is the name of the group-policy applied to the tunnel-group.

"default-group-policy" is the command and "ABCD_VPN" is the value (the name of the profile).

group-policy 
1-DfltGrpPolicy <<- no need any config under the tunnel-group,
2- config Group-policy <<- need to config under the tunnel-group, but what are it attr. ?? it inherited from DfltGrpPolicy (so in simple words if you not set it attr. it attr. is same as DfltGrpPolicy).
can I change some attr. ? Yes sure you can use some and other still default inherited from DfltGrpPolicy
can I broke this default behave ? Yes you can by config attr. NONE, this make attr. not inherit from DfltGrpPolicy
3-config goup-policy with from !!
Yes you can config one group-policy and config it attr. then add another group-policy for different tunnel-group and inherit it attr. from first group-policy.