There are two ways to configure a user group in a Remote Access Dial-up connection. 

1. Inherit from policy. In this method, the user group is configured under the IPsec dial-up firewall policy. The advantage of this method is it allows the administrator to set multiple user groups for a single traffic flow or policy. 

IPsec Phase 1 Configuration:

 Firewall Policy Configuration:

2. Configure the User Group under IPsec VPN phase 1 configuration. When using this method, only one group is allowed to be configured. No need to configure the user group under the firewall policy. 

IPsec Phase 1 Configuration:

Firewall Policy Configuration:

A problem will arise when the user group is defined on both firewall policy and IPsec phase 1 configuration. The IPsec traffic will not match the correct policy and will hit implicit deny.

To diagnose the issue, the administrator needs to run a debug. 

diagnose debug flow filter saddr X.X.X.X <----- Specify the VPN IP assigned to the user.
diagnose debug flow filter daddr Y.Y.Y.Y <----- Resource on remote LAN.
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 500

The debug flow output will be like this:

To fix the issue, make sure to follow the guidelines above and configure the user group on either phase1 configuration or firewall policy only.