Practice 300-410 IPsec Site-to-Site VPN questions with full explanations on every answer.
Start practicing
IPsec Site-to-Site VPN — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?
2A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?
3A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?
4A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?
5A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?
6A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?
7A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?
8A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?
9A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?
10A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE Based on this output, what is the problem?
11A network engineer runs the following command on Router R1: R1# show crypto ipsec sa interface: Tunnel0 Crypto map tag: VPN-MAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0 Based on this output, what is the problem?
12A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE Based on this output, which statement is correct?
13A network engineer runs the following command on Router R1: R1# show crypto ipsec sa peer 10.1.1.2 interface: Tunnel0 Crypto map tag: VPN-MAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0 Based on this output, what is the problem?
14A network engineer runs the following command on Router R1: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Based on this output, which statement is correct?
15A network engineer runs the following command on Router R1: R1# show crypto ipsec transform-set Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Based on this output, which statement is correct?
16A network engineer runs the following command on Router R1: R1# show crypto map Crypto Map "VPN-MAP" 10 ipsec-isakmp Peer = 10.1.1.2 Extended IP access list 100 access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,} Interfaces using crypto map VPN-MAP: Tunnel0 Based on this output, which statement is correct?
17A network engineer runs the following command on Router R1: R1# show crypto ipsec sa | include pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 Based on this output, what is the problem?
18A network engineer runs the following command on Router R1: R1# show crypto isakmp sa detail Codes: C - IKEv1, I - IKEv2 C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59 Based on this output, which statement is correct?
19Given the following partial configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is the effect of this configuration?
20Consider the following configuration on router R2: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 3600 ! crypto isakmp key secretkey address 192.168.1.1 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Which statement is true?
21Given the partial configuration: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?
22Examine this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is missing from this configuration to ensure the tunnel works correctly?
23Given this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?
24Consider the following configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 If the remote peer has an ISAKMP policy with encryption 3des, what will happen?
25In IPsec site-to-site VPN, what is the default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers?
26Which Diffie-Hellman group is considered the minimum recommended for secure IPsec site-to-site VPNs according to current best practices?
27In IPsec site-to-site VPN, what is the purpose of the 'match address' command under a crypto map?
28Which TWO commands would a network engineer use to verify the status of IPsec security associations on a Cisco IOS router? (Choose TWO.)
29Which TWO statements about IPsec site-to-site VPN configuration using IKEv1 are true? (Choose TWO.)
30Which TWO configuration steps are required to enable IPsec site-to-site VPN with IKEv2 on a Cisco router? (Choose TWO.)
31Which THREE symptoms indicate a potential IPsec site-to-site VPN failure due to mismatched IKE parameters? (Choose THREE.)
32Which THREE statements about IPsec transform sets are true? (Choose THREE.)
33A large enterprise is using a DMVPN Phase 2 hub-and-spoke topology with IPsec protection. Spoke routers R3 and R4 are both behind NAT. The hub R1 has a tunnel interface with IPsec profile and mGRE. Spoke-to-spoke dynamic tunnels do not form. R3 can ping R4's tunnel IP via the hub, but R3's show dmvpn detail shows no NHRP redirect or shortcut. R4's show crypto ipsec sa shows no inbound/outbound SA for the R3-to-R4 traffic. What is the root cause?
34R1 and R2 are connected via a point-to-point serial link running OSPF. R1 has an IPsec tunnel protecting traffic between loopback0 (10.1.1.1/32) and R2's loopback0 (10.2.2.2/32). The crypto map is applied to the physical serial interface. OSPF adjacencies form, but routes are not installed correctly. R1's show ip route ospf shows a route to 10.2.2.2/32 via the serial interface, not the tunnel. What is the root cause?
35R1 and R2 are running EIGRP with IPsec site-to-site VPN over a WAN link. The tunnel interface is used for the VPN. R1's EIGRP configuration includes a distribute-list out that filters prefix 192.168.1.0/24. R2's show ip eigrp topology shows the prefix as active but never transitions to passive. R2's show ip route does not have 192.168.1.0/24. What is the root cause?
36R1 and R2 are connected via an IPsec VPN tunnel. R1 has a static route to 10.10.10.0/24 pointing to the tunnel interface. R2 has a static route to 192.168.1.0/24 pointing to the tunnel interface. Both routers have BGP configured between loopback addresses over the tunnel. BGP peering is established, but R1 cannot ping 10.10.10.1 (R2's loopback) from its loopback. R1's show ip bgp shows the route as valid but not best. What is the root cause?
37R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running OSPF over the tunnel interface. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip route ospf does not include any routes from R2. R2's show ip route ospf shows routes from R1. What is the root cause?
38R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows all routes from R2 in passive state. However, R1's show ip route does not have any EIGRP routes from R2. What is the root cause?
39R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running BGP over the tunnel interface. R1's show ip bgp summary shows the BGP session with R2 as established, but R1's show ip bgp shows no routes from R2. R2's show ip bgp shows routes from R1. What is the root cause?
40R1 and R2 are connected via an IPsec VPN tunnel. They are running OSPF over the tunnel. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip ospf database shows the LSA from R2 but with a high age (e.g., 3600). R1's show ip route does not have routes from R2. What is the root cause?
41R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows a route from R2 as 'stuck-in-active' (SIA). R1's show ip eigrp traffic shows queries being sent but no replies. What is the root cause?
42A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# debug crypto isakmp *Mar 1 00:01:23.456: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:01:23.457: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500 *Mar 1 00:01:23.457: ISAKMP: New peer created peer = 0x12345678 peer_handle = 0x80000001 *Mar 1 00:01:23.457: ISAKMP: Locking peer struct 0x12345678, refcount 1 for crypto_isakmp_process_block *Mar 1 00:01:23.457: ISAKMP (0:0): SA request profile is (default) *Mar 1 00:01:23.457: ISAKMP: local port 500, remote port 500 *Mar 1 00:01:23.458: ISAKMP (0:0): found peer pre-shared-key matching 192.168.1.2 *Mar 1 00:01:23.458: ISAKMP (0:0): constructed NAT-T vendor ID *Mar 1 00:01:23.458: ISAKMP (0:0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:01:23.458: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 00:01:23.459: ISAKMP (0:0): processing SA payload. message ID = 0 *Mar 1 00:01:23.459: ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy *Mar 1 00:01:23.459: ISAKMP: encryption DES-CBC *Mar 1 00:01:23.459: ISAKMP: hash SHA *Mar 1 00:01:23.459: ISAKMP: default group 2 *Mar 1 00:01:23.459: ISAKMP: auth pre-share *Mar 1 00:01:23.459: ISAKMP (0:0): atts are not acceptable. Next transforms are not acceptable *Mar 1 00:01:23.460: ISAKMP (0:0): no offers accepted! What does this output indicate?
43A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# debug crypto ipsec *Mar 1 00:02:34.567: IPSEC(sa_request): , (key eng. msg.) src=10.0.0.1, dst=10.0.0.2, src_proxy=192.168.1.0/255.255.255.0/0/0, dst_proxy=192.168.2.0/255.255.255.0/0/0, *Mar 1 00:02:34.567: IPSEC(validate_proposal): transform proposal (esp-3des esp-sha-hmac) not supported for proxy 192.168.1.0/255.255.255.0/0/0 *Mar 1 00:02:34.567: IPSEC(validate_proposal): proposal doesn't match! *Mar 1 00:02:34.568: IPSEC(create_sa): SA created with (0x1234, 0x5678) but no inbound or outbound SPI What does this output indicate?
44A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp sa detail IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 192.168.1.1 192.168.2.2 ACTIVE des sha pre 2 23:59:21 1002 192.168.1.1 192.168.2.2 ACTIVE 3des sha pre 2 23:58:15 IPv6 Crypto ISAKMP SA What does this output indicate?
45A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: CMAP, local addr 192.168.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 192.168.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N outbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N What does this output indicate?
46A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set myset: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set strong: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, }, What does this output indicate?
47A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0 What does this output indicate?
48A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto map Crypto Map "CMAP" 10 ipsec-isakmp Peer = 192.168.2.2 Extended IP access list 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={myset, } Interfaces using crypto map CMAP: Tunnel0 What does this output indicate?
49A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show ip route 192.168.2.0 Routing entry for 192.168.2.0/24 Known via "eigrp 100", distance 90, metric 2684416, type internal Redistributing via eigrp 100 Last update from 10.0.0.2 on Tunnel0, 00:00:23 ago Routing Descriptor Blocks: * 10.0.0.2, from 10.0.0.2, via Tunnel0 Route metric is 2684416, traffic share count is 1 Total delay is 20000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 What does this output indicate?
50A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit What does this output indicate?
51What is the default IKE (ISAKMP) lifetime value in Cisco IOS for IPsec Site-to-Site VPN?
52Which default IPsec transform set is automatically created in Cisco IOS when configuring a site-to-site VPN?
53In IPsec site-to-site VPN, what is the default Diffie-Hellman (DH) group used in IKEv1 phase 1 on Cisco IOS?
54Which statement correctly describes the default behavior of Dead Peer Detection (DPD) in Cisco IOS for IPsec site-to-site VPN?
55In IPsec site-to-site VPN, what is the default IPsec SA lifetime in Cisco IOS?
56Which authentication method is used by default in IKEv1 main mode for IPsec site-to-site VPN on Cisco IOS?
57In Cisco IOS, what is the default encryption algorithm for IKEv1 phase 1 if not specified in the ISAKMP policy?
58What is the default hash algorithm for IKEv1 phase 1 in Cisco IOS when not explicitly configured?
59In Cisco IOS, what is the default IKEv1 phase 1 authentication method when using a pre-shared key and no explicit authentication is configured?
60Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.
61Drag and drop the steps to troubleshoot an IPsec site-to-site VPN adjacency failure into the correct order, from first to last.
62Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.
63Which TWO statements correctly describe the use of IKEv2 for IPsec site-to-site VPNs? (Choose TWO.)
64Which TWO configuration changes are required to enable IPsec site-to-site VPN with IKEv2 and pre-shared keys on a Cisco IOS router? (Choose TWO.)
65Which TWO statements about IPsec transform sets and security associations (SAs) are true? (Choose TWO.)
66Which TWO statements about IPsec site-to-site VPN troubleshooting using 'show crypto session' and 'show crypto ipsec sa' are correct? (Choose TWO.)
67Which TWO actions will prevent an IPsec site-to-site VPN tunnel from coming up when using IKEv2 and pre-shared keys? (Choose TWO.)
68An engineer configures a site-to-site IPsec VPN between two routers using OSPF as the routing protocol. The OSPF neighbor becomes stuck in EXSTART state. The engineer verifies that the IPsec tunnel is up and that both routers can ping each other's tunnel interfaces. What is the most likely cause of the OSPF adjacency issue?
69An engineer configures an IPsec site-to-site VPN between two routers running EIGRP. The EIGRP neighbor forms, but routes are not being exchanged. The engineer notices that the EIGRP neighbor is stuck in active state for certain routes. What is the most likely explanation?
70An engineer configures an IPsec site-to-site VPN between two routers using iBGP for routing. The BGP session comes up, but routes learned from the remote site are not installed in the routing table. The engineer verifies that the IPsec tunnel is up and that the BGP prefixes are present in the BGP table. What is the most likely explanation?
71An engineer configures mutual redistribution between OSPF and EIGRP on a router that is part of an IPsec site-to-site VPN. After the configuration, routing loops occur intermittently. The engineer has not used any route tagging. What is the most likely cause of the routing loops?
72An engineer configures a DMVPN Phase 2 network with IPsec protection. Spoke-to-spoke tunnels form, but traffic between spokes is not being forwarded directly; it still goes through the hub. The engineer verifies that NHRP registrations are successful and that the spoke-to-spoke IPsec sessions are established. What is the most likely explanation?
73An engineer configures an IPsec site-to-site VPN using IKEv1 with aggressive mode. The VPN tunnel establishes, but after some time, the tunnel goes down and re-establishes repeatedly. The engineer notices that the ISAKMP SA lifetime is set to 86400 seconds on one router and 3600 seconds on the other. What is the most likely explanation for the instability?
74An engineer configures Control Plane Policing (CoPP) on a router that terminates multiple IPsec site-to-site VPN tunnels. After applying the CoPP policy, some IPsec tunnels fail to establish, while others work fine. The engineer verifies that the CoPP policy permits IKE (UDP 500) and ESP (protocol 50) traffic. What is the most likely cause of the failure?
75An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the outside interface of a router that terminates an IPsec site-to-site VPN. After the configuration, the VPN tunnel establishes, but traffic from the remote site is not forwarded correctly. The engineer verifies that the IPsec tunnel is up and that the routing table has the correct routes. What is the most likely explanation?
76An engineer configures an IPsec site-to-site VPN between two routers using OSPF as the routing protocol. The OSPF neighbor forms, but routes are not being exchanged. The engineer verifies that the IPsec tunnel is up and that OSPF packets are being encrypted. The OSPF network type on the tunnel interface is set to broadcast. What is the most likely explanation for the missing routes?
The IPsec Site-to-Site VPN domain covers the key concepts tested in this area of the 300-410 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 300-410 domains — no account required.
The Courseiva 300-410 question bank contains 76 questions in the IPsec Site-to-Site VPN domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IPsec Site-to-Site VPN domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included