ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-730 All Questions

View all questions & answers for the 300-730 exam
Go to Exam

Exam 300-730 topic 1 question 131 discussion

Actual exam question from Cisco's 300-730
Question #: 131
Topic #: 1
[All 300-730 Questions]

An engineer has successfully established a Phase 1 and Phase 2 tunnel between two sites. Site A has internal subnet 192.168.0.0/24 and Site B has internal subnet 10.0.0.0/24. The engineer notices that no packets are decrypted at Site B. Pings to 192.168.0.1 from internal Site B devices make it to the Site B router, and the Site A router has incrementing encrypt and decrypt counters. What must be done to ensure bidirectional communication between both sites?

  • A. Modify the routing at Site B so that traffic is sent to Site A.
  • B. Configure the correct DH group on both devices.
  • C. Allow protocol ESP or AH on the firewall in front of the Site B router.
  • D. Enable PFS on the headend device.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by red_sparrow_Gr at Jan. 29, 2023, 8:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kylesam2017
10 months, 1 week ago
If the Phase 1 and Phase 2 tunnels have been successfully established between Site A and Site B, and pings from internal devices at Site B reach the Site B router but are not decrypted, the issue might be related to the firewall in front of the Site B router. In this case, to ensure bidirectional communication between the two sites, you need to allow the encapsulating security payload (ESP) protocol through the firewall. Therefore, the correct action would be to "Allow protocol ESP on the firewall in front of the Site B router." ESP (Encapsulating Security Payload) is a protocol used in IPsec to provide encryption, integrity, and authentication of packets. If ESP traffic is blocked by the firewall, it can prevent the successful decryption of packets arriving at Site B. AH (Authentication Header) is another IPsec protocol, but it does not provide encryption and is less commonly used. In a typical IPsec configuration, ESP is used for encryption and authentication, so allowing ESP is usually the correct step to ensure the bidirectional communication is successful.
upvoted 3 times
...
Rosh8787
10 months, 1 week ago
C is correct answer
upvoted 2 times
...
anu_enlil
1 year, 6 months ago
Why the answer is C? It says "successfully established a Phase 1 and Phase 2 tunnel between two sites" Doesn't that mean ESP or AH already allowed?
upvoted 2 times
Veliion
1 year, 5 months ago
A is incorrect: site A is receiving packets as its decrypt counter is increasing B is incorrect: both phase 1 and phase 2 tunnels are successful meaning DH matches C is correct: IKE uses UDP/500 to communicate both phase 1 and phase 2. After phase 2 is completed, IPsec uses those keys for either ESP or AH. Site A is sending so it has a route. That means site B must be blocking protocol 50 or 51. D is incorrect: PFS is optional. If this would not match, the phase 2 tunnel would not appear.
upvoted 2 times
...
...
red_sparrow_Gr
1 year, 9 months ago
Not sure. Decrypt packets counter not increasing in one side might be routing issue.
upvoted 1 times
red_sparrow_Gr
1 year, 8 months ago
neglect my comment. Site B has routing in place >> packets reach site A, thus the decrypt counter increases there.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago