Hello Mark, Here are my findings:
Although i was enabling "tunnel-group-map enable rules" which basically instructed the ASA to use the certificate maps to land the incoming connection on a tunnel-group, the tunnel was still coming up. In the debug's , i could see that the certificate map check was failing, but still the connection was landing at the correct tunnel. So what i did was i disabled all OTHER methods which the ASA will use to land incoming connections using the following commands #no tunnel-group-map enable ou #no tunnel-group-map enable peer-ip #no tunnel-group-map ike-id and i just enabled #tunnel-group-map enable rules And now , it works according to the certificate map rules. If the certificate map denies the connection, the tunnel doesn't come up. It appears that the ASA uses the "tunnel-group-map" rules in an order. Something like, if the certificate rules fail, then i think it tries to land the connection based on the OU , then on the peer-ip , etc.. Atleast this is my observation. Please let me know about your findings. Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
