nerdexam
Cisco

300-730 · Question #67

Which redundancy protocol must be implemented for IPsec stateless failover to work?

The correct answer is C. HSRP. IPsec stateless failover requires HSRP to maintain a shared virtual IP address so that when the active peer fails, the standby peer takes ownership of that IP and clients can reconnect without reconfiguration.

Site-to-site VPNs on Routers and Firewalls

Question

Which redundancy protocol must be implemented for IPsec stateless failover to work?

Options

  • ASSO
  • BGLBP
  • CHSRP
  • DVRRP

How the community answered

(45 responses)
  • A
    2% (1)
  • B
    7% (3)
  • C
    89% (40)
  • D
    2% (1)

Why each option

IPsec stateless failover requires HSRP to maintain a shared virtual IP address so that when the active peer fails, the standby peer takes ownership of that IP and clients can reconnect without reconfiguration.

ASSO

SSO (Stateful Switchover) is the underlying mechanism used for stateful failover where IKE and IPsec session state is replicated to the standby, not the redundancy protocol required for stateless failover.

BGLBP

GLBP distributes traffic across multiple active gateways using different virtual MAC addresses per member, which breaks the single-active model that IPsec stateless failover depends on for deterministic peer takeover.

CHSRPCorrect

HSRP creates a virtual IP and virtual MAC address shared between active and standby peers. With stateless IPsec failover, when the active device fails HSRP transitions the virtual IP to the standby, allowing clients to re-initiate connections to the same address - existing IPsec SAs are not preserved, so clients must renegotiate new security associations after failover.

DVRRP

VRRP is an open-standard protocol that functions similarly to HSRP, but Cisco's IPsec stateless failover feature is specifically integrated with HSRP on Cisco IOS and ASA platforms rather than VRRP.

Concept tested: IPsec stateless failover HSRP dependency

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/xe-16/sec-vpn-availability-xe-16-book/sec-ipsec-ha-hsrp.html

Topics

#IPsec stateless failover#HSRP#redundancy protocol#high availability

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice