ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 103 discussion

Exam question from Amazon's ANS-C00
Question #: 103
Topic #: 1
[All ANS-C00 Questions]

A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.
What is causing this issue?

  • A. The NAT gateway does not support fragmented packets.
  • B. The internet gateway only supports an MTU of 1500 bytes.
  • C. An Amazon EC2 instance expects to communicate with an MTU of 9001.
  • D. The security group on the instances does not allow PMTUD.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by adrianlee2593 at May 7, 2020, 9:23 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
adrianlee2593
Highly Voted 3 years, 9 months ago
A. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html
upvoted 19 times
...
arhelp
Most Recent 1 year, 5 months ago
If all video feeds work except one, then NAT gateway cannot be the problem. I'm sticking with D.
upvoted 1 times
...
clooudy
3 years, 2 months ago
Selected Answer: A
Answer: A excellent explanation by Smartphone below
upvoted 1 times
...
jyrajan69
3 years, 6 months ago
A for sure, D cannot be answer because issue is only from one feed, and the packets generated is fragmented
upvoted 2 times
...
Checho0205
3 years, 7 months ago
https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html "Problem Some of your TCP connections from instances in a private subnet to a specific destination through a NAT gateway are successful, but some are failing or timing out. Causes The cause of this problem might be one of the following: The destination endpoint is responding with fragmented TCP packets. NAT gateways do not support IP fragmentation for TCP or ICMP. For more information, see Compare NAT gateways and NAT instances."
upvoted 2 times
...
RenanMarques
3 years, 8 months ago
I had answered A, but D does seem to be correct. "If you don't explicitly configure this ICMP inbound rule for your Amazon VPC security group, PMTUD is blocked. In AWS, security groups are virtual firewalls that specify rules for inbound and outbound traffic to an instance."
upvoted 2 times
abc321
3 years, 8 months ago
A Cant be correct as the issue is only with one of the connections, all other connections are fine. Ans is D - above explanation is correct.
upvoted 1 times
...
Smartphone
3 years, 8 months ago
A looks more close. Here is a reason: RTMP is a TCP-based protocol which maintains persistent connections and allows low-latency communication. To deliver streams smoothly and transmit as much information as possible, it splits streams into fragments, and their size is negotiated dynamically between the client and server. and, Nat Gateway does not support fragmentation for the TCP and ICMP protocols. Fragmented packets for these protocols will get dropped.
upvoted 2 times
Smartphone
3 years, 8 months ago
Few more comments in support to the option A Problem Some of your TCP connections from instances in a private subnet to a specific destination through a NAT gateway are successful, but some are failing or timing out. Causes The cause of this problem might be one of the following: The destination endpoint is responding with fragmented TCP packets. NAT gateways do not support IP fragmentation for TCP or ICMP. For more information, see Compare NAT gateways and NAT instances. The tcp_tw_recycle option is enabled on the remote server, which is known to cause issues when there are multiple connections from behind a NAT device. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html
upvoted 2 times
sapien45
3 years, 4 months ago
Silver bullet argument here. A it is
upvoted 1 times
...
...
Bobip
3 years ago
Thanks for the detailed explanation. But I don't understand if NAT gateway doesn't support the "fragmented packets" why "The program is able to connect to all feed providers except one" !? Why only issue with one out of a large number of external video feed providers?
upvoted 1 times
...
...
...
eeghai7thioyaiR4
3 years, 8 months ago
PMTUD is not really used with ipv4 NAT does not support fragmented packets, because NAT transform L4 informations based on .. L4 informations But, when you do IP fragmentation, you split the whole IP packet into two The first fragmented IP packet will contains the L4 headers, so that is OK However, the second fragmented IP packet will contains no L4 headers: only an IP header (stating that it is a fragment) and a payload. NAT has no idea how to deal with that packet. Ans: A
upvoted 2 times
RenanMarques
3 years, 8 months ago
https://docs.aws.amazon.com/pt_br/redshift/latest/mgmt/connecting-drop-issues.html "...When there is a difference in the MTU size in the network between two hosts, first make sure that your network settings don't block path MTU discovery (PMTUD). PMTUD enables the receiving host to respond to the originating host with the following ICMP message: Destination Unreachable: fragmentation needed and DF set (ICMP Type 3, Code 4)."
upvoted 2 times
...
...
Kentik
3 years, 8 months ago
Would go with A as well, NAT Gateway don't support fragmented packets.
upvoted 2 times
...
PeppaPig
3 years, 8 months ago
Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected. Obviously it's no issue with either EC2 or IGW Answer is A (NAT)
upvoted 3 times
...
Johnny_Green
3 years, 8 months ago
The fact that "Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected" indicates the issue is not with IGW. Therefore A is the answer.
upvoted 2 times
...
CloudyMcClouderson
3 years, 8 months ago
Can't be the security group. SGs are not applied to the NAT gateway, so the SG would be the same regardless of whether or not the NAT gateway was being used.
upvoted 1 times
...
OKMAN
3 years, 8 months ago
D https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/connectionhang.htm
upvoted 1 times
OKMAN
3 years, 8 months ago
After deep diving I changed my answer to A https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html
upvoted 3 times
...
...
queenmum
3 years, 9 months ago
A: From adrianlee2593's link: Problem Some of your TCP connections from instances in a private subnet to a specific destination through a NAT gateway are successful, but some are failing or timing out. Causes The cause of this problem might be one of the following: The destination endpoint is responding with fragmented TCP packets. A NAT gateway currently does not support IP fragmentation for TCP or ICMP.
upvoted 4 times
...
AWS786
3 years, 9 months ago
Answer is D
upvoted 1 times
SilverT
3 years, 9 months ago
It's A D is not correct, SG is stateful, therefore ICMP responses to outbound requests are allowed to flow in. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#path_mtu_discovery
upvoted 3 times
...
...
yijetef290
3 years, 9 months ago
D D D D D D D D D D D D.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel