Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Cisco SCOR / CCNP Security Core 350-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

Question 2mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

Question 3easymultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

Question 5easymultiple choice
Full question →

A network engineer is troubleshooting an issue where an endpoint is failing to authenticate via 802.1X on a Cisco switch. The switch port is in unauthorized state. Which step should the engineer take first to identify the root cause?

Question 6mediummultiple choice
Study the full ACL explanation →

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

Question 7hardmultiple choice
Full question →

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

Question 8easymultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

Question 9mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. An IPsec VPN tunnel between two routers is not passing traffic. IKE phase 1 is not complete (MM_NO_STATE). Phase 2 has no SA. Which issue is most likely causing the problem?

Exhibit

Router1#show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-CM, local addr 10.1.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ipsec overhead 66, media mtu 1500
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:

Router1#show crypto isakmp sa
dst             src             state          conn-id slot
10.1.1.2        10.1.1.1        MM_NO_STATE    1       0
Question 10hardmultiple choice
Full question →

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

Question 11hardmultiple choice
Full question →

A network administrator notices that users in the finance department are unable to access a legitimate business web application that uses custom port 8443. The WSA is configured with a decryption policy that decrypts all traffic on port 443. What is the most likely cause of the issue?

Question 12hardmultiple choice
Full question →

An administrator is troubleshooting an issue where emails sent to a specific external domain are being delayed by up to 30 minutes. The Cisco ESA is configured with multiple mail exchangers (MX) for delivery. The logs show that the ESA is attempting delivery to the primary MX, which is unresponsive, and failing over to the secondary MX after 30 minutes. What change should be made to reduce the delivery delay?

Question 13mediummultiple choice
Full question →

A network administrator is troubleshooting why users in the marketing department cannot access a specific cloud storage site through the Cisco WSA. The access policy for marketing is set to 'Monitor' for the File Sharing category, but the site is blocked. What is the most likely reason?

Question 14mediummultiple choice
Full question →

A network engineer is troubleshooting an endpoint that failed to receive policy updates from the Cisco AMP cloud. The endpoint shows 'Out-of-Date' in the AMP console. The engineer verifies that the endpoint has outbound HTTPS access to the AMP cloud. What additional step should the engineer take to resolve the issue?

Question 15mediummultiple choice
Full question →

An incident responder uses the Cisco AMP for Endpoints console to investigate a potential malware outbreak. The endpoint shows multiple files with high prevalence and cloud verdicts of 'unknown'. The responder wants to quickly identify files that were executed from a malicious parent process. Which console feature best assists this analysis?

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.