There are two ways to configure a user group in a Remote Access Dial-up connection. 

1. Inherit from policy. In this method, the user group is configured under the IPsec dial-up firewall policy. The advantage of this method is it allows the administrator to set multiple user groups for a single traffic flow or policy. 

IPsec Phase 1 Configuration:

Firewall Policy Configuration:

2. Configure the User Group under the IPsec VPN phase 1 configuration. When using this method, only one group is allowed to be configured. No need to configure the user group under the firewall policy. 

IPsec Phase 1 Configuration:

Firewall Policy Configuration:

A problem will arise when the user group is defined on both the firewall policy and the IPsec phase 1 configuration. The IPsec traffic will not match the correct policy and will hit implicit deny.

To diagnose the issue, the administrator needs to run a debug. 

diagnose debug flow filter saddr X.X.X.X <----- Specify the VPN IP assigned to the user.
diagnose debug flow filter daddr Y.Y.Y.Y <----- Resource on remote LAN.
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 500

The debug flow output will be like this:

To disable the debug:

diagnose debug reset
diagnose debug disable

To fix the issue, make sure to follow the guidelines above and configure the user group on either phase1 configuration or the firewall policy only.

Related article:

Troubleshooting tip: Error 'No route exists from source address' with policy matching