300-730 Question #92: Real Exam Question with Answer & Explanation

Question

Options

• A<HostEntry><HostName>RAVPN</HostName><HostAddress>209.165.202.129</HostAddress><PrimaryProtocol>IPsec</PrimaryProtocol><StandardAuthenticationOnly>false</StandardAuthenticationOnly></PrimaryProtocol></HostEntry>
• B<HostEntry><HostName>RAVPN</HostName><HostAddress>209.165.202.225</HostAddress><PrimaryProtocol>IPsec</PrimaryProtocol><StandardAuthenticationOnly>false</StandardAuthenticationOnly></PrimaryProtocol></HostEntry>
• C<HostEntry><HostName>RAVPN</HostName><HostAddress>209.165.202.129</HostAddress></HostEntry>
• D<HostEntry><HostName>RAVPN</HostName><HostAddress>209.165.202.225</HostAddress></HostEntry>

Explanation

Because the ISP blocks TCP 443 used by SSL/TLS AnyConnect, the XML profile must explicitly specify IPsec as the primary protocol and reference the correct ASA outside IP address.

Common mistakes.

• A. Although the IPsec protocol is correctly specified, 209.165.202.129 is not the outside interface address of the ASA shown in the exhibit, so the client would fail to reach the correct headend.
• C. This entry omits the PrimaryProtocol element, causing AnyConnect to default to SSL/TLS on TCP 443 which the ISP blocks, and it also references the wrong IP address.
• D. This entry also omits the PrimaryProtocol element and defaults to SSL/TLS on TCP 443, which the ISP is blocking, preventing the VPN connection from being established.

Concept tested. AnyConnect XML IPsec protocol selection to bypass SSL port block

Reference. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/administration/guide/b_AnyConnect_Administrator_Guide_4-9.html

No community discussion yet for this question.