The answer is that the TTL security check is blocking the connection. This is correct because the error message explicitly indicates that the incoming TTL value does not match the expected value of 255, which is required for a directly connected eBGP peer. When BGP TTL security check is enabled, the router expects the TTL of incoming packets to be exactly 255; if the packet arrives with a lower TTL—as happens when it traverses intermediate hops—the session is rejected, even if the neighbor is technically reachable. On the Cisco SPCOR 350-501 exam, this scenario tests your understanding of how TTL security differs from standard eBGP multihop configurations, where the TTL is decremented normally. A common trap is confusing this with MD5 authentication or prefix limits, but the debug output will always reference “TTL security” explicitly. Remember the memory tip: “TTL 255 means directly alive; anything less means the session is in distress.”
350-501 Networking Practice Question
This 350-501 practice question tests your understanding of networking. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
R1# show ip bgp neighbors 10.0.0.1
BGP neighbor is 10.0.0.1, remote AS 65000, external link
BGP version 4, remote router ID 10.0.0.1
BGP state = IDLE
Last read 00:00:00, last write 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent: total 0, updates 0
Received: total 0, updates 0
Connections established 0; dropped 0
Last reset never
External BGP neighbor may be up to 255 hops away.
Connection is not permitted by TTL security check (TTL=1)
Based on the exhibit, what is preventing the BGP session from establishing?
Refer to the exhibit.
R1# show ip bgp neighbors 10.0.0.1
BGP neighbor is 10.0.0.1, remote AS 65000, external link
BGP version 4, remote router ID 10.0.0.1
BGP state = IDLE
Last read 00:00:00, last write 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent: total 0, updates 0
Received: total 0, updates 0
Connections established 0; dropped 0
Last reset never
External BGP neighbor may be up to 255 hops away.
Connection is not permitted by TTL security check (TTL=1)
A
The BGP MD5 password is mismatched
Why wrong: There is no indication of an MD5 authentication error.
B
The BGP update-source is misconfigured
Why wrong: No evidence of update-source issue; the error is specific to TTL.
C
The neighbor has reached its maximum prefix limit
Why wrong: No prefix limit error is shown; the state is IDLE due to TTL security.
D
The TTL security check is blocking the connection
The error 'Connection is not permitted by TTL security check (TTL=1)' clearly indicates the TTL security mechanism is rejecting the packet.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The TTL security check is blocking the connection
Option C is correct. The error message indicates the TTL security check is rejecting the connection because the incoming TTL is not 255 (as expected for an eBGP multihop session). The remote AS is shown as 65000, so it is eBGP. The neighbor is reached via a single-hop but the TTL check expects TTL=255, but the router sees a TTL less than that. Option A is wrong because no prefix limit is mentioned. Option B is wrong because no MD5 error is shown. Option D is wrong because the message clearly states TTL security check.
Key principle: OSPF neighbour adjacency depends on matching area, hello/dead timers, network type, and authentication — IP reachability alone is not enough.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The BGP MD5 password is mismatched
Why it's wrong here
There is no indication of an MD5 authentication error.
✗
The BGP update-source is misconfigured
Why it's wrong here
No evidence of update-source issue; the error is specific to TTL.
✗
The neighbor has reached its maximum prefix limit
Why it's wrong here
No prefix limit error is shown; the state is IDLE due to TTL security.
✓
The TTL security check is blocking the connection
Why this is correct
The error 'Connection is not permitted by TTL security check (TTL=1)' clearly indicates the TTL security mechanism is rejecting the packet.
Common exam trap: OSPF can fail even when IP connectivity looks correct
OSPF neighbour formation depends on matching areas, timers, network type, authentication and passive-interface behaviour. Do not choose an answer only because the devices can ping.
Trap categories for this question
Command / output trap
No prefix limit error is shown; the state is IDLE due to TTL security.
Detailed technical explanation
How to think about this question
OSPF questions usually test the details that control adjacency and route selection. Read the neighbour state, area, router ID and interface configuration before deciding what is wrong.
KKey Concepts to Remember
OSPF neighbours must agree on key parameters.
Router ID selection can affect neighbour relationships and LSDB output.
OSPF cost influences the preferred path.
A route can appear in OSPF information but not become the installed route.
TExam Day Tips
→Check area mismatch first when OSPF adjacency fails.
→Review passive interfaces when a network is advertised but no neighbour forms.
→Use show ip ospf neighbor and show ip route clues carefully.
Key takeaway
OSPF neighbour adjacency depends on matching area, hello/dead timers, network type, and authentication — IP reachability alone is not enough.
Real-world example
How this comes up in practice
A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.
What to study next
Got this wrong? Here's your next step.
Review OSPF neighbour requirements — matching area type, hello and dead timers, network type, stub flags, and authentication. Study show ip ospf neighbor states (INIT, 2-WAY, FULL). Then practise related 350-501 OSPF questions on adjacency and route selection.
Networking — This question tests Networking — OSPF neighbours must agree on key parameters..
What is the correct answer to this question?
The correct answer is: The TTL security check is blocking the connection — Option C is correct. The error message indicates the TTL security check is rejecting the connection because the incoming TTL is not 255 (as expected for an eBGP multihop session). The remote AS is shown as 65000, so it is eBGP. The neighbor is reached via a single-hop but the TTL check expects TTL=255, but the router sees a TTL less than that. Option A is wrong because no prefix limit is mentioned. Option B is wrong because no MD5 error is shown. Option D is wrong because the message clearly states TTL security check.
What should I do if I get this 350-501 question wrong?
Review OSPF neighbour requirements — matching area type, hello and dead timers, network type, stub flags, and authentication. Study show ip ospf neighbor states (INIT, 2-WAY, FULL). Then practise related 350-501 OSPF questions on adjacency and route selection.
What is the key concept behind this question?
OSPF neighbours must agree on key parameters.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-501 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-501 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.