Exam 300-730 topic 1 question 82 discussion

show crypto isakmp sa This command shows the ISAKMP SA built between peers. dst src state conn-id slot 10.1.0.2 10.1.0.1 QM_IDLE 1 0 In theshow crypto isakmp sa output, the state must always be QM_IDLE. If the state is MM_KEY_EXCH, it means either the configured pre-shared key is not correct or the peer IP addresses are different. PIX(config)#show crypto isakmp sa Total : 2 Embryonic : 1 dst src state pending created 192.168.254.250 10.177.243.187 MM_KEY_EXCH 0 0 You can rectify this when you configure the correct IP address or pre-shared key.

"D" is the correct answer.

Why not C ? because the process went up to MM_KEY-EXCH which is the 4th-5th message exchange. In the 1st message the peers IP are checked

MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)

D is the most correct answer

https://ccie-or-null.net/tag/cisco-vpn-troubleshooting/ https://www.networkworld.com/article/2288666/chapter-4--common-ipsec-vpn-issues.html

as Kyle1776 said that MM_Key_Exch message would means either psk or peer wrong, but as the output of the show crypto isakmp sa would show you the local and remote peer IP, so the next step would be checking the peer IP is correct, so the answer is C

If it's stuck at MM_Key_Exch and without any additional information, I would chose D.

Well according to Cisco its both C and D the pre-shared key is wrong of the peer is wrong would result in the MM_Key_Exch message In the show crypto isakmp sa output, the state should always be QM_IDLE. If the state is MM_KEY_EXCH, it means either the configured pre-shared key is not correct or the peer IP addresses are different. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

I go with D