The answer is that the crypto map is not applied to the external interface. This is the most likely issue when an IPsec tunnel is established but no traffic is encrypted, because the crypto map defines the security policies—such as the access list and transform set—that dictate which traffic to protect and how to encrypt it. Without applying the crypto map to the physical or tunnel interface that sends and receives encrypted traffic (typically the outside-facing interface), the router never enforces those policies, so even though IKE Phase 1 completes and the tunnel appears up, no data plane traffic is actually encrypted. On the Cisco SCOR / CCNP Security Core 350-701 exam, this scenario tests your understanding of the IPsec configuration sequence: ISAKMP (IKE) can succeed independently, but encryption only begins once the crypto map is bound to the correct interface. A common trap is assuming a tunnel status of “up” guarantees traffic encryption, but it only indicates successful control-plane negotiation. Memory tip: “Map the map”—always verify the crypto map is applied to the outside interface before troubleshooting anything else.
350-701 Security Concepts Practice Question
This 350-701 practice question tests your understanding of security concepts. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set ESP-AES256-SHA
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Refer to the exhibit. The tunnel is established but no traffic is encrypted. What is the most likely issue?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The crypto map is not applied to the external interface
The most likely issue is that the crypto map is not applied to the external interface. In IPsecVPN configuration, the crypto map must be applied to the interface that sends and receives encrypted traffic (typically the outside/public-facing interface). Without this application, the router does not know which traffic to protect or how to negotiate the IPsec tunnel, even if the tunnel is established (e.g., IKE Phase 1 completes). The tunnel may show as up due to successful ISAKMP negotiation, but no traffic will be encrypted because the crypto map's policy (including the access-list and transform set) is never enforced on the interface.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The transform set uses wrong encryption
Why it's wrong here
AES-256 is a strong encryption algorithm and compatible.
✓
The crypto map is not applied to the external interface
Why this is correct
The crypto map must be attached to an interface to enable encryption.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The access-list is too permissive
Why it's wrong here
The ACL correctly defines interesting traffic between the two subnets.
✗
The peer address is wrong
Why it's wrong here
If the peer address were wrong, the tunnel would not be established.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between tunnel establishment (IKE Phase 1) and traffic encryption (IPsec Phase 2 + crypto map application), trapping candidates who assume a tunnel being 'up' means all components are correctly applied.
Detailed technical explanation
How to think about this question
The crypto map acts as a policy container that binds together the interesting traffic ACL, transform set, peer address, and other IPsec parameters. When applied to an interface via the 'crypto map <name>' command, the router's CEF or process-switching path checks outgoing packets against the ACL; if a match occurs, the packet is encrypted and encapsulated. Without this interface-level application, the crypto map is essentially inactive—the router will still respond to IKE messages (so Phase 1 can complete) but will never initiate encryption for data traffic. In real-world scenarios, this is a common misconfiguration after copying a config from another device or forgetting the 'interface GigabitEthernet0/0' context.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Security Concepts — This question tests Security Concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The crypto map is not applied to the external interface — The most likely issue is that the crypto map is not applied to the external interface. In IPsec VPN configuration, the crypto map must be applied to the interface that sends and receives encrypted traffic (typically the outside/public-facing interface). Without this application, the router does not know which traffic to protect or how to negotiate the IPsec tunnel, even if the tunnel is established (e.g., IKE Phase 1 completes). The tunnel may show as up due to successful ISAKMP negotiation, but no traffic will be encrypted because the crypto map's policy (including the access-list and transform set) is never enforced on the interface.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.