Add a Network Tunnel Group

To enable tunnel redundancy and high availability for IPsec tunnels connected to data center hubs, follow the steps to add a network tunnel group to Cisco Secure Access.

Provisioning high-availability network tunnel groups at a hub site allows a group of tunnels to share a primary and secondary hub. Network devices that are capable of establishing an IPsec tunnel can join a network tunnel group using the credentials created when the tunnel group is deployed.

Each data center hub in a network tunnel group can connect to multiple tunnels. A hub configured for NAT can support up to 100 tunnels. A hub that is not configured for NAT is limited to 10 tunnels.

  1. In Secure Access, configure the attributes of the tunnel group and deploy the tunnel group. Once the tunnel group is deployed, the initial state of the tunnel group changes from Unestablished to Inactive.
  2. Next, configure a tunnel in the network device that sends traffic to Secure Access. Use the deployed tunnel group's attributes to associate the network tunnel to the tunnel group. The network tunnel group attributes required by network devices to establish the IPsec IKEv2 tunnel are: tunnel ID, tunnel passphrase, and IP Address of the Secure Access data center.
  3. Enable user computers to connect securely to the tunnel and begin to send traffic to Secure Access. Once Secure Access receives and logs traffic from a network tunnel, the tunnel state is considered Active. View the events for the tunnel in the Secure Access Overview and Activity Search.

Table of Contents


  • Full Admin role in Secure Access. For more information, see Manage Accounts.


Add a network tunnel in Secure Access for a device capable of establishing an IPsec IKEv2 tunnel.

  1. Navigate to Connect > Network Connections > Network Tunnel Groups.
  2. Click Add.
  1. Enter the General Settings for your tunnel group:
    1. Give your tunnel group a meaningful name.
    2. Choose a Region.
    3. Choose a Device Type.
    4. Click Next.
  1. Enter the Tunnel ID and Passphrase for your tunnel group:
    4. Choose a Tunnel ID Format, either Email or IP Address.

    • If the choice is email, use the format Use the name you gave the tunnel group in General Settings.
    • If the choice is IP address, include both a primary and secondary IP address.
    1. Enter a Passphrase.
      • A tunnel passphrase is between 16 and 64 characters in length. The passphrase must contain at least one upper case letter, one lower case letter, and one number.
      • The passphrase cannot include any special characters.
    2. Reenter your passphrase.
    3. Click Next.
  2. Choose the type of Routing for your tunnel group.

    1. Choose Static routing to manually add IP address ranges for this tunnel group. You should add all public and private address ranges used internally by your organization.
    2. Choose Dynamic routing when you have a BGP peer for your on-premise router.
      Note: You'll need the router's autonomous system (AS) number to use dynamic routing.
    3. Click Next.
  3. On the Data for Tunnel Setup page, review the network tunnel information for completeness. Click the Download CSV button to save the information to use to configure and deploy a tunnel in a network device.
    Note: This is the only time that your passphrase is displayed.

Configure Tunnel on Network Device

  1. Follow the steps in one of the network device guides to deploy an IPsec tunnel with Secure Access. For more information see Network Tunnel Configuration.

Verify Tunnel Traffic in Secure Access

After you add a tunnel to Cisco Secure Access and deploy a network tunnel with a compatible network device, check that Secure Access receives and logs traffic from the tunnel.

  1. Navigate to Overview and find your configured tunnel. Verify that the status of the tunnel is Active. For more information, see Secure Access Overview.

Manage Network Tunnel Groups < Add a Network Tunnel Group > Delete a Network Tunnel Group