Cisco
300-730 · Question #83
Refer to the exhibit. Upon setting up a tunnel between two sites, users are complaining that connections to applications over the VPN are not working consistently. The output of show crypto ipsec sa w
Sign in or unlock 300-730 to reveal the answer and full explanation for question #83. The question stem and answer options stay visible for context.
Troubleshooting VPNs
Question
Refer to the exhibit. Upon setting up a tunnel between two sites, users are complaining that connections to applications over the VPN are not working consistently. The output of show crypto ipsec sa was collected on one of the VPN devices. Based on this output, what should be done to fix this issue?
interface: Tunnel10
#crypto esp sa: Tunnel10-head-0, local addr 10.10.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0)
current spi: 0x16810.1 port 500
PERMIT, flags=(origin_is_acl,)
#pkts encaps: 26773, #pkts encrypt: 16228, #pkts digest: 16228
#pkts decaps: 26773, #pkts decrypt: 26773, #pkts verify: 26773
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts not decompressed: 0
#pkts not decapsulated: 0, #pkts decompressed failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encrypted failed (send): 0, #pkts decrypted failed (rcv): 0
#pkts invalid inpt (rcv): 0, #pkts verify failed: 0
#pkts invalid identify (rcv): 0, #pkts invalid req (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 2375
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (rcv): 0, #pkts internal err (rcv): 0
local crypto endpt.: 1.10.10.0, remote crypto endpt.: 192.168.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu lab GigabitEthernet0/0/0
current outbound spi: 0x48998999 (1218021785)
PFS (Y/N): N, DH group: none
Options
- ALower the tunnel MTU.
- BEnable perfect forward secrecy.
- CSpecify the application networks in the remote identity.
- DMake an adjustment to IPsec replay window.
Unlock 300-730 to see the answer
You've previewed enough free 300-730 questions. Unlock 300-730 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#IPsec SA#replay window#show crypto ipsec sa#troubleshooting