Knowee
Questions
Features
Study Tools

You configured site-to-site VPNs on your two Cisco ASA appliances. However, the IKE SA is not being established between the peers. Which two options could be the causes? (Choose two.)You did not specify the same DH group on both peers.You did not specify the same PSK on both peers.You did not specify matching transform sets on the peers.You did not specify the traffic to be protected by the VPN.

Question

You configured site-to-site VPNs on your two Cisco ASA appliances. However, the IKE SA is not being established between the peers. Which two options could be the causes? (Choose two.)You did not specify the same DH group on both peers.You did not specify the same PSK on both peers.You did not specify matching transform sets on the peers.You did not specify the traffic to be protected by the VPN.

🧐 Not the exact question you are looking for?Go ask a question

Solution

The two options that could be causing the IKE SA not to be established between the peers are:

  1. You did not specify the same DH group on both peers.
  2. You did not specify the same PSK on both peers.

Here's why:

  1. The Diffie-Hellman (DH) group must be the same on both peers for the IKE SA to be established. The DH group is used in the key exchange process to generate a shared secret key without transmitting it over the network.

  2. The Pre-Shared Key (PSK) must also be the same on both peers. The PSK is used to authenticate the peers to each other. If the PSKs do not match, the peers will not be able to authenticate each other and the IKE SA will not be established.

  3. While it's important to have matching transform sets on the peers for the IPsec SA to be established, it's not necessary for the IKE SA. The IKE SA is established before the IPsec SA and is not dependent on the transform sets.

  4. Specifying the traffic to be protected by the VPN is also important for the IPsec SA, not the IKE SA. The IKE SA is responsible for securing the negotiation of the IPsec SA, which is what actually protects the traffic.

This problem has been solved

Similar Questions

You configured a site-to-site VPN on your Cisco Firepower NGFW, but the CLI output does not show any IKE SA being established. What would you do as the first troubleshooting step?Verify if IPsec proposal matches on both peers.Check if interesting traffic is reaching the crypto engine using Packet Capture.Check if interesting traffic is reaching the crypto engine using Packet Tracer.Check if interesting traffic is reaching the crypto engine by examining connection events.

Which Cisco VPN solution requires use of IKEv2?

Which option about IPsec VPNs on the Cisco FMC is correct?supports asymmetric authentication with IKEv2uses a concept of a VPN topology to configure all required IPsec components on managed devicesuses a concept of tunnel groups for VPN configurationuses the Cisco ASA appliance engine

Which two statements regarding management options of VPNs are correct? (Choose two.)You can manage VPNs on the Cisco ASA appliance using CLI.You can manage VPNs on the Cisco ASA appliance using FDM.You can manage VPNs on Cisco Firepower NGFW using CLI.You can manage VPNs on Cisco Firepower NGFW using Cisco FMC.You can manage VPNs on Cisco Firepower NGFW using Cisco ASDM.You can manage VPNs on the Cisco ASA appliance using Cisco FMC.

Which two options does SSL VPN on the Cisco ASA appliance use to authenticate an SSL VPN server to clients? (Choose two.)

1/1

Upgrade your grade with Knowee

Get personalized homework help. Review tough concepts in more detail, or go deeper into your topic by exploring other relevant questions.