ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 184 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 184
Topic #: 1
[All Professional Cloud Network Engineer Questions]

You are attempting to establish a HA VPN to your on-premises network; however, the VPN connection is not establishing successfully. You have full administrative control over the Google Cloud networking environment and the on-premises firewalls that are acting as the VPN devices. The Google Cloud console shows "Negotiation failure" and "BGP is down". You check Cloud Logging by using a query for resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER". Logs Explorer shows frequent log entries:

log name: …/logs/cloud.googleapis.com%2Fipsec_events"
type: "vpn_gateway"
textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built"

You need to troubleshoot the VPN failure and take corrective action based on the Cloud Logging entries. What should you do?

  • A. Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side.
  • B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
  • C. Create a new Cloud VPN gateway in a region closer to the peer VPN gateway.
  • D. Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by b0b25 at Feb. 22, 2025, 4:05 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
n2183712847
1 month, 2 weeks ago
Selected Answer: B
the log entry clearly points to a Phase 2 negotiation failure, and the corrective action is to review and match the Phase 2 settings on both ends
upvoted 1 times
...
b0b25
3 months, 3 weeks ago
Selected Answer: B
The error "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built" in the context of VPNs and IPsec typically indicates a mismatch in the configuration between the two endpoints during the negotiation of Phase 1 or Phase 2 of the IPsec tunnel. This error is common in scenarios involving IKEv1 or IKEv2 protocols and points to incompatible proposals for encryption, authentication, or other parameters.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel