nerdexam
Exams300-730Questions#119
Cisco

300-730 · Question #119

300-730 Question #119: Real Exam Question with Answer & Explanation

The correct answer is A: Adjust the routing on the remote peer device to direct traffic back over the tunnel.. When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.

Troubleshooting VPNs

Question

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with an SSL IPsec VPN. While troubleshooting, a network security engineer sees a packet capture on the Cisco ASA to emulate the user traffic and discovers that the encryption counter is increasing but the decryption counter is not. What must be configured to correct this issue?

Options

  • AAdjust the routing on the remote peer device to direct traffic back over the tunnel.
  • BAdjust the preshared key on the remote peer to allow traffic to flow over the tunnel.
  • CAdjust the transform set to allow bidirectional traffic.
  • DAdjust the peer IP address on the remote peer to direct traffic back to the ASA.

Explanation

When the encryption counter increments but the decryption counter does not on a Cisco ASA, return traffic is never arriving through the tunnel, which points to a routing problem on the remote peer.

Common mistakes.

  • B. A preshared key mismatch causes IKE authentication to fail entirely, preventing tunnel establishment - it would not produce an operational tunnel with one-directional counter activity.
  • C. Transform sets define the encryption and hashing algorithms negotiated during IKE Phase 2; they do not control the directionality of traffic flow through an already-established SA.
  • D. An incorrect peer IP address would prevent the IKE handshake from completing, meaning no tunnel would form at all rather than a tunnel carrying only outbound traffic.

Concept tested. IPsec asymmetric traffic flow troubleshooting on Cisco ASA

Reference. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-asa-ipsec-troubleshoot.html

Topics

#IPsec VPN#asymmetric routing#encryption counter#one-way traffic

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice