Question 814 of 2,152
Device Access ControlhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow. This is the most likely explanation because IPsec uses the crypto map’s access-list to classify which traffic should trigger encryption; without an explicit 'permit' entry, the router does not consider the traffic as interesting, so it never initiates or refreshes the IPsec security associations, leaving the tunnel up but idle. On the Cisco CCNP ENARSI 300-410 exam, this scenario tests your understanding of how interesting traffic drives IPsec SA negotiation—a common trap is assuming a tunnel’s up state guarantees data flow, when in fact the tunnel can establish from other triggers like a ping or a misconfigured ACL entry, but without the correct permit, production traffic is dropped or sent in clear. Remember the memory tip: “No permit, no encrypt—tunnel up, traffic dead.”

300-410 Device Access Control Practice Question

This 300-410 practice question tests your understanding of device access control. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An engineer configures an IPsec site-to-site VPN. The tunnel comes up, but no traffic passes. The engineer checks the crypto map and access-lists. Which is the most likely explanation?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow.

Option B is correct because the access-list defining interesting traffic for the crypto map must explicitly include a 'permit' statement for the traffic that should be encrypted. Without this permit, the router will not classify the traffic as interesting, so IPsec will not attempt to encrypt it, and the traffic will be dropped or sent in clear depending on the crypto map configuration. The tunnel can still come up because IKE and IPsec SA negotiation is triggered by interesting traffic, but if the access-list is missing the permit, no traffic triggers the SA establishment, and existing SAs may remain idle.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The crypto map is applied to the wrong interface, causing the traffic to bypass encryption.

    Why it's wrong here

    If the crypto map is on the wrong interface, the tunnel would not form at all, but the problem states the tunnel is up.

  • The access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow.

    Why this is correct

    IPsec only encrypts traffic that matches the permit statements in the crypto access-list. If the traffic is not matched, it is sent in clear or dropped, depending on the crypto map configuration.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The IPsec transform set uses ESP with no encryption, so traffic is sent in clear.

    Why it's wrong here

    ESP with no encryption (ESP-NULL) would still provide authentication, but the tunnel would still encapsulate traffic. The issue is that no encryption is applied, but the tunnel is up.

  • The IKE phase 1 policy uses aggressive mode, which is incompatible with the crypto map.

    Why it's wrong here

    Aggressive mode is used in IKE phase 1 and does not affect the crypto map's ability to match traffic. It would affect the IKE negotiation, but the tunnel is up.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that a crypto map applied to an interface automatically encrypts all traffic, when in reality the access-list must explicitly permit the traffic to be encrypted, and a missing permit causes the tunnel to appear up but pass no traffic.

Detailed technical explanation

How to think about this question

In Cisco IOS, the crypto map references an extended access-list where each 'permit' entry defines traffic that must be encrypted. If the access-list is missing the permit for the actual traffic flow, the router will not attempt to encrypt that traffic, and the IPsec SA will not be established for that flow. This is a common misconfiguration because the access-list must match the source and destination addresses and ports exactly, and a 'deny' (implicit or explicit) will cause the traffic to be processed without encryption, often resulting in a black hole if the crypto map is configured with 'ipsec-isakmp' and no fallback.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

Device Access Control — This question tests Device Access Control — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow. — Option B is correct because the access-list defining interesting traffic for the crypto map must explicitly include a 'permit' statement for the traffic that should be encrypted. Without this permit, the router will not classify the traffic as interesting, so IPsec will not attempt to encrypt it, and the traffic will be dropped or sent in clear depending on the crypto map configuration. The tunnel can still come up because IKE and IPsec SA negotiation is triggered by interesting traffic, but if the access-list is missing the permit, no traffic triggers the SA establishment, and existing SAs may remain idle.

What should I do if I get this 300-410 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 300-410 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.