nerdexam
Cisco

300-730 · Question #128

Refer to the exhibit. A Cisco ASA is configured as a client to a router running as a FlexVPN server. The router is configured with a virtual template to terminate FlexVPN clients. Traffic between netw

The correct answer is B. Modify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.. The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.

Troubleshooting VPNs

Question

Refer to the exhibit. A Cisco ASA is configured as a client to a router running as a FlexVPN server. The router is configured with a virtual template to terminate FlexVPN clients. Traffic between networks 192.168.0.0/24 and 172.16.20.0/24 does not work as expected. Based on the show crypto ikev2 sa output collected from the Cisco ASA in the exhibit, what is the solution to this issue?

Options

  • AModify the crypto ACL on the ASA to permit network 192.168.0.0/24 to network 172.16.20.0/24.
  • BModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.
  • CModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.20.0/24.
  • DModify the crypto ACL on the router to permit network 172.16.20.0/24 to network 192.16.0.0/24.

How the community answered

(30 responses)
  • A
    7% (2)
  • B
    47% (14)
  • C
    30% (9)
  • D
    17% (5)

Why each option

The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.

AModify the crypto ACL on the ASA to permit network 192.168.0.0/24 to network 172.16.20.0/24.

Permitting 192.168.0.0/24 as the source to 172.16.20.0/24 as the destination reverses the selector direction relative to what the show output indicates the router has negotiated, so the mismatch would persist.

BModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.Correct

In an IKEv2/FlexVPN environment, the crypto ACL on the ASA client specifies the traffic selectors (proxy IDs) that are proposed to the FlexVPN server during negotiation. The show crypto ikev2 sa output reveals that the selectors the ASA is advertising do not match what the router expects; correcting the ACL to permit 172.16.20.0/24 (remote network) to 192.16.0.0/24 (local network as seen in the SA output) aligns the proposed selectors with the router's configuration and allows interesting traffic to be matched and encrypted.

CModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.20.0/24.

Permitting 172.16.20.0/24 to 192.16.20.0/24 uses the same remote subnet on both sides of the ACL entry, which does not represent valid distinct source and destination networks.

DModify the crypto ACL on the router to permit network 172.16.20.0/24 to network 192.16.0.0/24.

The mismatch originates from the ASA client's crypto ACL, not from the FlexVPN server; changing the router's ACL would not correct the incorrect selectors being proposed by the ASA.

Concept tested: IKEv2 FlexVPN traffic selector proxy ID configuration

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ikev2-flex-xe-16-book.html

Topics

#FlexVPN#crypto ACL#IKEv2 SA#ASA

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice