nerdexam
Exams300-730Questions#88
Cisco

300-730 · Question #88

300-730 Question #88: Real Exam Question with Answer & Explanation

The correct answer is D: Confirm that the pre-shared keys match on both devices.. The MM_KEY_EXCH state in IKEv1 Main Mode indicates SA proposals and Diffie-Hellman exchange already succeeded, so the failure is at the authentication step - most commonly caused by mismatched pre-shared keys.

Troubleshooting VPNs

Question

While troubleshooting, an engineer finds that the show crypto isakmp sa command indicates that the last state of the tunnel is MM_KEY_EXCH. What is the next step that should be taken to resolve this issue?

Options

  • AVerify that the ISAKMP proposals match.
  • BEnsure that UDP 500 is not being blocked between the devices.
  • CCorrect the peer's IP address on the crypto map.
  • DConfirm that the pre-shared keys match on both devices.

Explanation

The MM_KEY_EXCH state in IKEv1 Main Mode indicates SA proposals and Diffie-Hellman exchange already succeeded, so the failure is at the authentication step - most commonly caused by mismatched pre-shared keys.

Common mistakes.

  • A. Mismatched ISAKMP proposals cause failure at the MM_SA_SETUP state, not MM_KEY_EXCH, because proposal negotiation occurs before the Diffie-Hellman exchange.
  • B. If UDP 500 were blocked between devices, no IKE packets would be exchanged and the SA would remain in MM_NO_STATE, never progressing to MM_KEY_EXCH.
  • C. An incorrect peer IP address would prevent IKE initiation entirely, so the SA would not progress to MM_KEY_EXCH.

Concept tested. IKEv1 Main Mode state machine troubleshooting

Reference. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

Topics

#IKEv1#ISAKMP#MM_KEY_EXCH#pre-shared key

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice