nerdexam
Exams300-730Questions#83
Cisco

300-730 · Question #83

300-730 Question #83: Real Exam Question with Answer & Explanation

The correct answer is D: Make an adjustment to IPsec replay window.. The mismatch between pkts encaps (26773) and pkts encrypt (16228) shows roughly 10,500 packets were dropped before encryption, which is a hallmark symptom of the IPsec anti-replay window being too small.

Question

Refer to the exhibit. Upon setting up a tunnel between two sites, users are complaining that connections to applications over the VPN are not working consistently. The output of show crypto ipsec sa was collected on one of the VPN devices. Based on this output, what should be done to fix this issue? interface: Tunnel10 #crypto esp sa: Tunnel10-head-0, local addr 10.10.10.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0) current spi: 0x16810.1 port 500 PERMIT, flags=(origin_is_acl,) #pkts encaps: 26773, #pkts encrypt: 16228, #pkts digest: 16228 #pkts decaps: 26773, #pkts decrypt: 26773, #pkts verify: 26773 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts not decompressed: 0 #pkts not decapsulated: 0, #pkts decompressed failed: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encrypted failed (send): 0, #pkts decrypted failed (rcv): 0 #pkts invalid inpt (rcv): 0, #pkts verify failed: 0 #pkts invalid identify (rcv): 0, #pkts invalid req (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 2375 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (rcv): 0, #pkts internal err (rcv): 0 local crypto endpt.: 1.10.10.0, remote crypto endpt.: 192.168.0.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu lab GigabitEthernet0/0/0 current outbound spi: 0x48998999 (1218021785) PFS (Y/N): N, DH group: none

Options

  • ALower the tunnel MTU.
  • BEnable perfect forward secrecy.
  • CSpecify the application networks in the remote identity.
  • DMake an adjustment to IPsec replay window.

Explanation

The mismatch between pkts encaps (26773) and pkts encrypt (16228) shows roughly 10,500 packets were dropped before encryption, which is a hallmark symptom of the IPsec anti-replay window being too small.

Common mistakes.

  • A. Lowering the tunnel MTU addresses fragmentation-related issues, not the packet count discrepancy between encapsulation and encryption counters seen in this output.
  • B. Enabling Perfect Forward Secrecy improves key exchange security by generating unique session keys but has no effect on packet drops caused by sequence number window violations.
  • C. Specifying application networks in the remote identity refines the interesting traffic selector, which would affect which flows are protected, not the per-packet drop behavior reflected in mismatched encaps versus encrypt counters.

Concept tested. IPsec anti-replay window packet drop diagnosis

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16/sec-vpn-ipsec-xe-16-book/sec-cfg-vpn-ipsec.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice