300-730 · Question #119
A user at a company HQ is having trouble accessing a network share at a branch site that is connected with an SSL IPsec VPN. While troubleshooting, a network security engineer sees a packet capture on
The correct answer is A. Adjust the routing on the remote peer device to direct traffic back over the tunnel.. When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.
Question
Options
- AAdjust the routing on the remote peer device to direct traffic back over the tunnel.
- BAdjust the preshared key on the remote peer to allow traffic to flow over the tunnel.
- CAdjust the transform set to allow bidirectional traffic.
- DAdjust the peer IP address on the remote peer to direct traffic back to the ASA.
How the community answered
(28 responses)- A46% (13)
- B7% (2)
- C18% (5)
- D29% (8)
Why each option
When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.
An incrementing encryption counter confirms the ASA is successfully sending encrypted packets into the tunnel, while a static decryption counter means no encrypted packets are being received back. This asymmetry indicates the remote peer is forwarding its return traffic out a different path rather than back through the VPN tunnel, so correcting the remote peer's routing table to point the relevant subnets back over the tunnel resolves the one-way flow.
A preshared key mismatch causes IKE authentication to fail entirely, preventing tunnel establishment - it would not produce an operational tunnel with one-directional counter activity.
Transform sets define the encryption and hashing algorithms negotiated during IKE Phase 2; they do not control the directionality of traffic flow through an already-established SA.
An incorrect peer IP address would prevent the IKE handshake from completing, meaning no tunnel would form at all rather than a tunnel carrying only outbound traffic.
Concept tested: IPsec asymmetric traffic flow troubleshooting on Cisco ASA
Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-asa-ipsec-troubleshoot.html
Topics
Community Discussion
No community discussion yet for this question.