350-401 Question #435: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. After configurating an IPsec VPN, an engineer enters the show command to verify the ISAKMP SA status. What does the status show?

Options

• AISAKMP SA is authenticated and can be used for Quick Mode.
• BPeers have exchanged keys, but ISAKMP SA remains unauthenticated.
• CVPN peers agreed on parameters for the ISAKMP SA
• DISAKMP SA has been created, but it has not continued to form.

Explanation

IPsec VPN ISAKMP SA Status Explanation

Option A is correct because the status "QM_IDLE" (Quick Mode Idle) displayed in the show crypto isakmp sa output indicates that Phase 1 (IKE/ISAKMP) has fully completed - peers have mutually authenticated and established a secure, authenticated SA - and the tunnel is now ready and waiting to negotiate Phase 2 (Quick Mode/IPsec SA). Option B is wrong because key exchange without authentication would show a status like MM_KEY_EXCH, not QM_IDLE - authentication is already complete at QM_IDLE. Option C is wrong because merely agreeing on parameters reflects an earlier Phase 1 state such as MM_NO_STATE or MM_SA_SETUP, not the final idle state. Option D is wrong because a stalled or incomplete SA would typically show MM_NO_STATE or DELETE_ME, indicating the process stopped before completion.

💡 Memory Tip: Think of QM = "Quite Magnificent" - reaching QM_IDLE means Phase 1 is perfectly complete and you're ready for Phase 2 (Quick Mode). If you see "QM," Phase 1 is done and authenticated!

No community discussion yet for this question.