350-401 · Question #435
Refer to the exhibit. After configurating an IPsec VPN, an engineer enters the show command to verify the ISAKMP SA status. What does the status show?
The correct answer is A. ISAKMP SA is authenticated and can be used for Quick Mode.. IPsec VPN ISAKMP SA Status Explanation Option A is correct because the status "QM_IDLE" (Quick Mode Idle) displayed in the show crypto isakmp sa output indicates that Phase 1 (IKE/ISAKMP) has fully completed - peers have mutually authenticated and established a secure, authentica
Question
Exhibits
Options
- AISAKMP SA is authenticated and can be used for Quick Mode.
- BPeers have exchanged keys, but ISAKMP SA remains unauthenticated.
- CVPN peers agreed on parameters for the ISAKMP SA
- DISAKMP SA has been created, but it has not continued to form.
How the community answered
(30 responses)- A87% (26)
- B3% (1)
- C3% (1)
- D7% (2)
Explanation
IPsec VPN ISAKMP SA Status Explanation
Option A is correct because the status "QM_IDLE" (Quick Mode Idle) displayed in the show crypto isakmp sa output indicates that Phase 1 (IKE/ISAKMP) has fully completed - peers have mutually authenticated and established a secure, authenticated SA - and the tunnel is now ready and waiting to negotiate Phase 2 (Quick Mode/IPsec SA). Option B is wrong because key exchange without authentication would show a status like MM_KEY_EXCH, not QM_IDLE - authentication is already complete at QM_IDLE. Option C is wrong because merely agreeing on parameters reflects an earlier Phase 1 state such as MM_NO_STATE or MM_SA_SETUP, not the final idle state. Option D is wrong because a stalled or incomplete SA would typically show MM_NO_STATE or DELETE_ME, indicating the process stopped before completion.
Memory Tip: Think of QM = "Quite Magnificent" - reaching QM_IDLE means Phase 1 is perfectly complete and you're ready for Phase 2 (Quick Mode). If you see "QM," Phase 1 is done and authenticated!
Topics
Community Discussion
No community discussion yet for this question.

