Skip to main content

 

 

Cisco Defense Orchestrator

Troubleshoot ASA Remote Access VPN

Cannot Add ASA to an existing RA VPN Configuration

"There are issues with one or more group policies ["DfltGrpPolicy"], you cannot add new device to this RA VPN configuration. More details about the issues can be found in object page."

If there are issues with one or more group policies associated with an ASA device, CDO doesn't allow adding that device to an existing RA VPN configuration. It displays an error message along with the name of group policies having issues. Also, such group policies can't be shared with other ASA devices until the issues are resolved. 

Only after resolving the issues in the group policies, CDO allows you to add the corresponding ASA device to the RA VPN configuration and share group policies with other devices.  

You can create a new RA VPN configuration and add this ASA device or perform the following to resolve the issues in the group policies and add the device to an existing RA VPN configuration.

  1. In the Objects pane, click the filter icon.
  2. Click Filter by Device and select the ASA device you want to add.
  3. Click the filter icon, and in Object Type, click RA VPN Group Policy.
  4. Select the group policy having issues and in the Actions pane on the right, click Edit.
    The group policy wizard displays the error messages describing the issues.
  5. When you start resolving the issues, the corresponding error message starts disappearing from the window.
    • If the AnyConnect client profile is unavailable on the device, you have to select the other client profiles available on the device.
      1. In the General tab, click + to select another client profile. 
    • If a standard ACL has been used in the split-tunnel configuration, you have to select an extended ACL available on the device.
      1. In the Split Tunneling tab, select Allow Networks list specified below or Exclude Networks list specified below.
      2. In the Networks List, select an extended ACL.
    • If a standard ACL has been used in the VPN traffic filters, you have to select an extended ACL available on the device.
      1. In the Traffic Filters tab, select an extended ACL in Access List Filter.
  6. Click Save.
  • Was this article helpful?