nerdexam
Cisco

300-730 · Question #119

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with an SSL IPsec VPN. While troubleshooting, a network security engineer sees a packet capture on

The correct answer is A. Adjust the routing on the remote peer device to direct traffic back over the tunnel.. When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.

Troubleshooting VPNs

Question

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with an SSL IPsec VPN. While troubleshooting, a network security engineer sees a packet capture on the Cisco ASA to emulate the user traffic and discovers that the encryption counter is increasing but the decryption counter is not. What must be configured to correct this issue?

Options

  • AAdjust the routing on the remote peer device to direct traffic back over the tunnel.
  • BAdjust the preshared key on the remote peer to allow traffic to flow over the tunnel.
  • CAdjust the transform set to allow bidirectional traffic.
  • DAdjust the peer IP address on the remote peer to direct traffic back to the ASA.

How the community answered

(28 responses)
  • A
    46% (13)
  • B
    7% (2)
  • C
    18% (5)
  • D
    29% (8)

Why each option

When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.

AAdjust the routing on the remote peer device to direct traffic back over the tunnel.Correct

An incrementing encryption counter confirms the ASA is successfully sending encrypted packets into the tunnel, while a static decryption counter means no encrypted packets are being received back. This asymmetry indicates the remote peer is forwarding its return traffic out a different path rather than back through the VPN tunnel, so correcting the remote peer's routing table to point the relevant subnets back over the tunnel resolves the one-way flow.

BAdjust the preshared key on the remote peer to allow traffic to flow over the tunnel.

A preshared key mismatch causes IKE authentication to fail entirely, preventing tunnel establishment - it would not produce an operational tunnel with one-directional counter activity.

CAdjust the transform set to allow bidirectional traffic.

Transform sets define the encryption and hashing algorithms negotiated during IKE Phase 2; they do not control the directionality of traffic flow through an already-established SA.

DAdjust the peer IP address on the remote peer to direct traffic back to the ASA.

An incorrect peer IP address would prevent the IKE handshake from completing, meaning no tunnel would form at all rather than a tunnel carrying only outbound traffic.

Concept tested: IPsec asymmetric traffic flow troubleshooting on Cisco ASA

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-asa-ipsec-troubleshoot.html

Topics

#IPsec VPN#asymmetric routing#encryption counter#one-way traffic

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice