300-730 Question #117: Real Exam Question with Answer & Explanation

Question

Options

• AIPsec (IKEv2) Allow Access must be checked on the outside interface.
• BSSL Enable DTLS must be checked on the outside interface.
• CBypass interface access lists for inbound VPN sessions must be unchecked.
• DIPsec (IKEv2) Enable Client Services must be checked on the outside interface.
• ESSL Allow Access must be checked on the outside interface.

Explanation

Two separate capabilities must be enabled on the ASA outside interface:

1. A - IPsec (IKEv2) Allow Access: Enables the ASA to accept IKEv2 negotiations on UDP 500 (initial IKE) and UDP 4500 (NAT-T). Without this, the ASA will not respond to AnyConnect IKEv2 connection attempts.

2. D - IPsec (IKEv2) Enable Client Services: This is a critical secondary option. It enables an embedded HTTPS (SSL/TCP 443) listener alongside the IKEv2 service on the same outside interface. AnyConnect uses this SSL channel to download and update the client software profile before or after VPN tunnel establishment - without this, the software update over the same interface is not possible.

Why the other options are wrong:

• B - DTLS is an optimization for SSL-based VPN tunnels (reduces latency), not relevant to IKEv2 client services.
• C - Unchecking 'Bypass interface ACLs for inbound VPN sessions' would make VPN traffic subject to the outside ACL, potentially blocking it - this would hurt, not help.
• E - 'SSL Allow Access' enables a full SSL/TLS-based VPN tunnel (the older clientless or AnyConnect-SSL mode). This is a separate VPN mode from IKEv2 and is not required for the described scenario.

No community discussion yet for this question.