300-730 · Question #128
Refer to the exhibit. A Cisco ASA is configured as a client to a router running as a FlexVPN server. The router is configured with a virtual template to terminate FlexVPN clients. Traffic between netw
The correct answer is B. Modify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.. The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.
Question
Options
- AModify the crypto ACL on the ASA to permit network 192.168.0.0/24 to network 172.16.20.0/24.
- BModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.
- CModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.20.0/24.
- DModify the crypto ACL on the router to permit network 172.16.20.0/24 to network 192.16.0.0/24.
How the community answered
(30 responses)- A7% (2)
- B47% (14)
- C30% (9)
- D17% (5)
Why each option
The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.
Permitting 192.168.0.0/24 as the source to 172.16.20.0/24 as the destination reverses the selector direction relative to what the show output indicates the router has negotiated, so the mismatch would persist.
In an IKEv2/FlexVPN environment, the crypto ACL on the ASA client specifies the traffic selectors (proxy IDs) that are proposed to the FlexVPN server during negotiation. The show crypto ikev2 sa output reveals that the selectors the ASA is advertising do not match what the router expects; correcting the ACL to permit 172.16.20.0/24 (remote network) to 192.16.0.0/24 (local network as seen in the SA output) aligns the proposed selectors with the router's configuration and allows interesting traffic to be matched and encrypted.
Permitting 172.16.20.0/24 to 192.16.20.0/24 uses the same remote subnet on both sides of the ACL entry, which does not represent valid distinct source and destination networks.
The mismatch originates from the ASA client's crypto ACL, not from the FlexVPN server; changing the router's ACL would not correct the incorrect selectors being proposed by the ASA.
Concept tested: IKEv2 FlexVPN traffic selector proxy ID configuration
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ikev2-flex-xe-16-book.html
Topics
Community Discussion
No community discussion yet for this question.