nerdexam
Exams300-730Questions#105
Cisco

300-730 · Question #105

300-730 Question #105: Real Exam Question with Answer & Explanation

The correct answer is B: Ensure that devices between the hub and spoke are not blocking ESP traffic.. DMVPN uses multipoint GRE (mGRE) as the tunnel overlay, which is protected by IPsec when security is required. The IPsec data-plane protocol is ESP (Encapsulating Security Payload), which is IP protocol number 50-not TCP or UDP. The critical clues in this scenario are: 1. Packets

Question

A DMVPN spoke is configured with IKEv1 to secure the tunnel. Despite having a configuration similar to other working spokes, the tunnel is not coming up. Packet captures on the spoke show packets leaving the spoke router, but not making it to the hub router. Which solution resolves this issue?

Options

  • AConfigure the spoke and hub to use the same IKE version.
  • BEnsure that devices between the hub and spoke are not blocking ESP traffic.
  • CEnsure that devices between the hub and spoke are not blocking GRE traffic.
  • DEnable the tunnel interface with the no shutdown command.

Explanation

DMVPN uses multipoint GRE (mGRE) as the tunnel overlay, which is protected by IPsec when security is required. The IPsec data-plane protocol is ESP (Encapsulating Security Payload), which is IP protocol number 50-not TCP or UDP.

The critical clues in this scenario are:

  1. Packets are leaving the spoke router → the spoke's interface is up, local routing is correct, and the configuration is valid.
  2. Packets are not arriving at the hub router → something in the transit network path is discarding them.
  3. Configuration is similar to other working spokes → the problem is not a misconfiguration on the spoke or hub.

These clues point to an intermediate device (such as a service provider firewall, ACL on a transit router, or NAT device) that is blocking ESP (protocol 50) traffic. Many firewalls and ACLs are configured by default to only permit TCP, UDP, and ICMP, causing them to silently drop ESP packets. With ESP blocked, the IKE negotiation may partially complete (IKE uses UDP 500/4500) but the IPsec Security Associations cannot carry encrypted data, so the tunnel never comes up.

The fix is to ensure that all devices in the path between the spoke and hub explicitly permit IP protocol 50 (ESP).

Why the other options are wrong:

  • A (Configure the same IKE version): Other spokes with the same IKEv1 configuration work fine, so a version mismatch is not the issue.
  • C (GRE traffic blocked): When IPsec is applied to a DMVPN tunnel, the GRE packets are encapsulated inside ESP. The transit network sees ESP traffic, not raw GRE (protocol 47). Unblocking GRE would not help.
  • D (no shutdown on tunnel interface): If the interface were administratively down, no packets would leave the spoke at all. Since captures confirm packets are exiting the spoke, the interface is already active.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice