67-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
Configuring Connection Profiles
The following sections describe the contents and configuration of connection profiles:
Maximum Connection Profiles, page67-6
Default IPsec Remote Access Connection Profile Configuration, page67-7
Specifying a Name and Type for the Remote Access Connection Profile, page67-8
Configuring Remote-Access Connection Profiles, page67-7
Configuring LAN-to-LAN Connection Profiles, page67-17
Configuring Connection Profiles for Clientless SSL VPN Sessions, page67-20
Customizing Login Windows for Users of Clientless SSL VPN sessions, page67-27
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client,
page 67-34
You can modify the default connection profiles, and you can configure a new connection profile as any
of the three tunnel-group types. If you don’t explicitly configure an attribute in a connection profile, that
attribute gets its value from the default connection profile. The default connection-profile type is remote
access. The subsequent parameters depend upon your choice of tunnel type. To see the current
configured and default configuration of all your connection profiles, including the default connection
profile, enter the show running-config all tunnel-group command.

Maximum Connection Profiles

The maximum number of connection profiles (tunnel groups) that an ASA can support is a function of
the maximum number of concurrent VPN sessions for the platform + 5. For example, an ASA5505 can
support a maximum of 25 concurrent VPN sessions allowing for 30 tunnel groups (25+5). Attempting
to add an additional tunnel group beyond the limit results in the following message: "ERROR: The limit
of 30 configured tunnel groups has been reached"
Table Table 67-2specifies the maximum VPN sessions and connection profiles for each ASA platform.
override-svc-download Overrides downloading the group-policy or username attributes
configured for downloading the AnyConnect VPN client to the remote
user.
radius-reject-message Enables the display of the RADIUS reject message on the login screen
when authentication is rejected.
Table67-1 Connection Profile Attributes for SSL VPN
Command Function
Table67-2 Maximum VPN Sessions and Connection Profiles Per ASA Platform
5505 Base/
Security Plus
5510/Base/
Security Plus
5520 5540 5550 5580-20 5580-40
Maximum VPN Sessions 10/25 250 750 5000 5000 10,000 10,000
Maximum Connection Profiles 15/30 255 755 5005 5005 10,005 10,005