Download New Updated (Spring 2015) Cisco 300-209 Actual Tests 81-90

Ensurepass

 

QUESTION 81

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto isakmp command on the headend router, you see the following output. What does this output suggest?

 

1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0

1d00h: ISAKMP (0:1); no offers accepted!

1d00h: ISAKMP (0:1): SA not acceptable!

1d00h: %CRYPTO-6-IKMP_MODE_FAILURE. Processing of Main Mode failed with peer at 10.10.10.10

 

A.

Phase 1 policy does not match on both sides.

B.

The transform set does not match on both sides.

C.

ISAKMP is not enabled on the remote peer.

D.

There is a mismatch in the ACL that identifies interesting traffic.

 

Correct Answer: A

 

 

QUESTION 82

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?

 

1d00h: IPSec (validate_proposal): transform proposal

(port 3, trans 2, hmac_alg 2) not supported

1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0

1d00h: ISAKMP (0:2) SA not acceptable

 

A.

Phase 1 policy does not match on both sides.

B.

The Phase 2 transform set does not match on both sides.

C.

ISAKMP is not enabled on the remote peer.

D.

The crypto map is not applied on the remote peer.

E.

The Phase 1 transform set does not match on both sides.

 

Correct Answer: B

 

 

QUESTION 83

Which adaptive security appliance command can be used to see a generic framework of the requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote office?

 

A.

vpnsetup site-to-site steps

B.

show running-config crypto

C.

show vpn-sessiondb l2l

D.

vpnsetup ssl-remote-access steps

 

Correct Answer: A

 

 

QUESTION 84

After completing a site-to-site VPN setup between two routers, application performance over the tunnel is slow. You issue the show crypto ipsec sa command and see the following output. What does this output suggest?

 

interface. Tunnel100

 

Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10

 

protected vrf. (none)

 

local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)

 

remote ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0)

 

current_peer 209.165.200.230 port 500

 

PERMIT, flags={origin_is_acl,}

 

#pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836

 

#pkts decaps: 26922, #pkts decrypt: 19211, #pkts verify: 19211

 

#pkts compressed. 0, #pkts decompressed. 0

 

#pkts not compressed. 0, #pkts compr. failed. 0

 

#pkts not decompressed. 0, #pkts decompress failed. 0

 

#send errors 0, #recv errors 0

 

A.

The VPN has established and is functioning normally.

B.

There is an asymmetric routing issue.

C.

The remote peer is not receiving encrypted traffic.

D.

The remote peer is not able to decrypt traffic.

E.

Packet corruption is occurring on the path between the two peers.

 

Correct Answer: E

 

 

QUESTION 85

Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions?

 

A.

show vpn-sessiondb summary

B.

show crypto ikev1 sa

C.

show vpn-sessiondb ratio encryption

D.

show iskamp sa detail

E.

show crypto protocol statistics all

 

Correct Answer: A

 

 

QUESTION 86

Refer to the exhibit. An administrator had the above configuration working with SSL protocol, but as soon as the administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to connect. What is the problem?

 

clip_image001

 

A.

IPsec will not work in conjunction with a group URL.

B.

The Cisco AnyConnect implementation does not allow the two group URLs to be the same. SSL does allow this.

C.

If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group).

D.

A new XML profile should be created instead of modifying the existing profile, so that the clients force the update.

 

Correct Answer: C

 

 

QUESTION 87

The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is displayed:

 

“Login Denied, unauthorized connection mechanism, contact your administrator”

 

What is the most possible cause of this problem?

 

A.

DAP is terminating the connection because IKEv2 is the protocol that is being used.

B.

The client endpoint does not have the correct user profile to initiate an IKEv2 connection.

C.

The AAA server that is being used does not authorize IKEv2 as the connection mechanism.

D.

The administrator is restricting access to this specific user.

E.

The IKEv2 protocol is not enabled in the group policy of the VPN headend.

 

Correct Answer: E

 

 

QUESTION 88

The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem?

 

A.

User profile updates are not allowed with IKEv2.

B.

IKEv2 is not enabled on the group policy.

C.

A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt.

D.

Client Services is not enabled on the adaptive security appliance.

 

Correct Answer: D

 

 

QUESTION 89

Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection, while SSL works fine? (Choose two.)

 

A.

Verify that the primary protocol on the client machine is set to IPsec.

B.

Verify that AnyConnect is enabled on the correct interface.

C.

Verify that the IKEv2 protocol is enabled on the group policy.

D.

Verify that ASDM and AnyConnect are not using the same port.

E.

Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.

 

Correct Answer: AC

 

 

QUESTION 90

Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance?

 

A.

AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.

B.

IKEv2 sessions are not licensed.

C.

The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions.

D.

Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions.

 

Correct Answer: A

 

Free VCE & PDF File for Cisco 300-209 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

< font style="font-size: 10pt" color="#000000">