nerdexam
Cisco

300-730 · Question #66

Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet

The correct answer is D. phase 3: UN-NAT. The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.

Troubleshooting VPNs

Question

Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet is processed, which phase is causing the failure?

Exhibits

300-730 question #66 exhibit 1
300-730 question #66 exhibit 2

Options

  • Aphase 9: rpf-check
  • Bphase 5: NAT
  • Cphase 4: ACCESS-LIST
  • Dphase 3: UN-NAT

How the community answered

(16 responses)
  • A
    6% (1)
  • B
    25% (4)
  • C
    6% (1)
  • D
    63% (10)

Why each option

The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.

Aphase 9: rpf-check

The rpf-check phase (phase 9) validates reverse path forwarding for the post-NAT address and occurs late in processing, well after the UN-NAT phase where this failure actually originates.

Bphase 5: NAT

Phase 5 NAT handles forward translation of outbound source addresses and runs after the UN-NAT lookup, so it is never reached when the failure already occurred at phase 3.

Cphase 4: ACCESS-LIST

Phase 4 ACCESS-LIST denials produce an explicit deny log entry rather than a connection timeout, and that phase occurs after the UN-NAT phase that is blocking traffic earlier in the pipeline.

Dphase 3: UN-NATCorrect

UN-NAT is the phase where the ASA performs a reverse NAT lookup to determine if an existing NAT rule matches the incoming packet's destination address. If no matching un-NAT entry exists for the SSL client's traffic arriving on the outside interface, the ASA drops the packet at this early phase, producing the connection timeout before any later processing occurs.

Concept tested: ASA packet processing phases - UN-NAT failure

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98997-asa-packettracer-techsupport.html

Topics

#SSL VPN#ASA packet processing#UN-NAT#troubleshooting phases

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice