300-730 · Question #66
Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet
The correct answer is D. phase 3: UN-NAT. The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.
Question
Exhibits
Options
- Aphase 9: rpf-check
- Bphase 5: NAT
- Cphase 4: ACCESS-LIST
- Dphase 3: UN-NAT
How the community answered
(16 responses)- A6% (1)
- B25% (4)
- C6% (1)
- D63% (10)
Why each option
The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.
The rpf-check phase (phase 9) validates reverse path forwarding for the post-NAT address and occurs late in processing, well after the UN-NAT phase where this failure actually originates.
Phase 5 NAT handles forward translation of outbound source addresses and runs after the UN-NAT lookup, so it is never reached when the failure already occurred at phase 3.
Phase 4 ACCESS-LIST denials produce an explicit deny log entry rather than a connection timeout, and that phase occurs after the UN-NAT phase that is blocking traffic earlier in the pipeline.
UN-NAT is the phase where the ASA performs a reverse NAT lookup to determine if an existing NAT rule matches the incoming packet's destination address. If no matching un-NAT entry exists for the SSL client's traffic arriving on the outside interface, the ASA drops the packet at this early phase, producing the connection timeout before any later processing occurs.
Concept tested: ASA packet processing phases - UN-NAT failure
Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98997-asa-packettracer-techsupport.html
Topics
Community Discussion
No community discussion yet for this question.

