Yep, I tested the same, worked fine.

Andy

Strange indeed, here is mine

Just accept it and see if policy works.

Andy

Fails immediately. 

The names of groups don't line up between your screenshot and the validation error, so I feel like I'm missing something.

Are you nesting the earlier "VPN" group under the "Encryption.Domain" referenced in the validation error? 

See screenshots below.

Make sure group you are adding has name exclusions_

Andy

The Remote Access encryption domain is a group with exclusions;

This group looks as follows;

And the main group (non excluded) looks like this;

Just do how @CaseyB  did it. I did it same way and it worked.

Andy

The problem is that's how we do traditional IP based split tunneling, which I don't want to break. 

You can leave the gateway encryption domain as is.

• Make a new group that has all the IP addresses in it for RemoteAccess that you want
• Add the exclusions_ group to that
• Use the granular encryption domain for the RemoteAccess community

This will only effect stuff using that RemoteAccess community.

You could just clone the group you are using already and just remove the objects you are doing the exclude on.

So what's the difference between these two settings? I always thought they did the same thing;

I am using my screenshot below for reference.

• Section 1 - This is the default VPN domain for the gateway. RemoteAccess VPNs and IPsec VPNs will use this by default. It is a shared pool.
• Section 2 - This is where you can create a more specific VPN domain for that IPsec VPN or RemoteAccess VPN. I highlighted objects that say, "According to the gateway", that means those VPNs use the encryption domain from section 1. Everything else is using their own specific group with a much more defined encryption domain.

Based on your new screenshots, you should just be able to add your "exclusions_" group to the group "VPN_Exclusion_Domain".

Thats exactly how I tested it as well.

Andy