- A
Mismatched encryption algorithms between the two VPN peers
Why wrong: If encryption algorithms were mismatched, the tunnel would not establish. Since the tunnel is up, this is not the issue.
- B
Incorrect static route on the branch router for the 192.168.10.0/24 network
A route pointing to the tunnel interface or the remote VPN peer is necessary for traffic from the branch to reach the main office LAN.
- C
Firewall on the main office server blocking ICMP
Why wrong: While possible, the main office can ping the branch gateway, and if the tunnel is up, firewall rules affecting ICMP are less likely the root cause compared to missing routing.
- D
Incorrect IKE authentication settings
Why wrong: IKE authentication issues would prevent the tunnel from being established; since the tunnel is active, this is not the cause.
Quick Answer
The answer is an incorrect static route on the branch router for the 192.168.10.0/24 network. When an IPsec tunnel is up but you cannot ping the remote subnet, the issue is almost always one-way routing: the tunnel is active and passing traffic from the main office to the branch, as confirmed by the successful ping from main to branch gateway, but the branch router lacks a route directing traffic for 192.168.10.0/24 into the tunnel interface. Without that route, packets from the branch are sent out the default gateway instead of being encrypted and forwarded through the VPN. On the CompTIA Network+ N10-009 exam, this scenario tests your understanding that a tunnel being “up” only proves Phase 1 and Phase 2 negotiation; it does not guarantee bidirectional traffic flow. A common trap is to blame firewall rules or NAT, but the key clue is that one side works and the other doesn’t. Remember the mnemonic: “Tunnel up, one-way ping? Check the routing table for the missing static.”
N10-009 Network Implementation Practice Question
This N10-009 practice question tests your understanding of network implementation. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: vPN tunnel establishment does not automatically create routes for internal networks.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A network engineer has established an IPsec VPN tunnel between a branch office (10.0.0.0/24) and the main office (192.168.10.0/24). The tunnel shows as up and active, but users at the branch office cannot ping the main office server at 192.168.10.10. The main office can ping the branch office gateway successfully. What is the most likely cause of this issue?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Incorrect static route on the branch router for the 192.168.10.0/24 network
The tunnel is up and active, and the main office can ping the branch office gateway, which confirms that Phase 1 and Phase 2 of IPsec are correctly negotiated and that the tunnel is passing traffic from the main office toward the branch. However, branch users cannot reach 192.168.10.10, indicating that return traffic from the branch is not being routed into the tunnel. The most likely cause is that the branch router lacks a static route for 192.168.10.0/24 pointing to the tunnel interface (or the IPsec virtual interface), so packets from the branch destined for the main office are sent out the wrong interface or dropped instead of being encrypted and forwarded through the VPN.
Key principle: VPN tunnel establishment does not automatically create routes for internal networks.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Mismatched encryption algorithms between the two VPN peers
Why it's wrong here
If encryption algorithms were mismatched, the tunnel would not establish. Since the tunnel is up, this is not the issue.
- ✓
Incorrect static route on the branch router for the 192.168.10.0/24 network
Why this is correct
A route pointing to the tunnel interface or the remote VPN peer is necessary for traffic from the branch to reach the main office LAN.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
VPN tunnel establishment does not automatically create routes for internal networks.
- ✗
Firewall on the main office server blocking ICMP
- ✗
Incorrect IKE authentication settings
Why it's wrong here
IKE authentication issues would prevent the tunnel from being established; since the tunnel is active, this is not the cause.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between a tunnel being 'up' (IPsec SAs established) and traffic actually flowing correctly, leading candidates to incorrectly assume that a working tunnel guarantees bidirectional reachability without verifying routing or crypto ACLs.
Detailed technical explanation
How to think about this question
In a site-to-site IPsec VPN, traffic must be matched by a crypto access control list (ACL) on each peer to trigger encryption; additionally, a route must exist on the branch router that directs traffic for the remote subnet (192.168.10.0/24) to the tunnel interface (e.g., 'ip route 192.168.10.0 255.255.255.0 Tunnel0'). Without this route, the branch router performs a standard routing table lookup and may forward the packet out its default gateway (the internet) instead of into the VPN tunnel, causing the ping to fail. The fact that the main office can ping the branch gateway confirms that the tunnel is functional for traffic sourced from the main office, but the branch router's routing table is incomplete for the return path.
KKey Concepts to Remember
- VPN tunnel establishment does not automatically create routes for internal networks.
- Static routes or dynamic routing protocols are required to direct LAN traffic into a VPN tunnel.
- A missing route will cause traffic destined for the remote network to be dropped or misrouted.
- The VPN tunnel being 'up' confirms successful IKE negotiation and security association establishment.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
VPN tunnel establishment does not automatically create routes for internal networks.
Real-world example
How this comes up in practice
A practitioner preparing for the N10-009 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. VPN tunnel establishment does not automatically create routes for internal networks. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Review vPN tunnel establishment does not automatically create routes for internal networks., then practise related N10-009 questions on the same topic to reinforce the concept.
- →
Network Implementation — study guide chapter
Learn the concepts, then practise the questions
- →
Network Implementation practice questions
Targeted practice on this topic area only
- →
All N10-009 questions
520 questions across all exam domains
- →
CompTIA Network+ N10-009 study guide
Full concept coverage aligned to exam objectives
- →
N10-009 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related N10-009 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Networking Concepts practice questions
Practise N10-009 questions linked to Networking Concepts.
Network Implementation practice questions
Practise N10-009 questions linked to Network Implementation.
Network Operations practice questions
Practise N10-009 questions linked to Network Operations.
Network Security practice questions
Practise N10-009 questions linked to Network Security.
Network Troubleshooting practice questions
Practise N10-009 questions linked to Network Troubleshooting.
Network+ network fundamentals practice questions
Practise N10-009 questions linked to Network+ network fundamentals.
Practice this exam
Start a free N10-009 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this N10-009 question test?
Network Implementation — This question tests Network Implementation — VPN tunnel establishment does not automatically create routes for internal networks..
What is the correct answer to this question?
The correct answer is: Incorrect static route on the branch router for the 192.168.10.0/24 network — The tunnel is up and active, and the main office can ping the branch office gateway, which confirms that Phase 1 and Phase 2 of IPsec are correctly negotiated and that the tunnel is passing traffic from the main office toward the branch. However, branch users cannot reach 192.168.10.10, indicating that return traffic from the branch is not being routed into the tunnel. The most likely cause is that the branch router lacks a static route for 192.168.10.0/24 pointing to the tunnel interface (or the IPsec virtual interface), so packets from the branch destined for the main office are sent out the wrong interface or dropped instead of being encrypted and forwarded through the VPN.
What should I do if I get this N10-009 question wrong?
Review vPN tunnel establishment does not automatically create routes for internal networks., then practise related N10-009 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
VPN tunnel establishment does not automatically create routes for internal networks.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on N10-009
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A network engineer has configured an IPsec site-to-site VPN between two offices. The tunnel is established and shows as active. However, users at the branch office (10.0.1.0/24) cannot reach servers at the main office (192.168.1.0/24). Both routers have the correct VPN policies and firewall rules permitting IPsec traffic. What should the engineer check next?
hard- A.A) That the DNS server addresses are correctly configured
- ✓ B.B) That the routing tables on both routers include routes to the remote subnet
- C.C) That the MTU size is set to 1500 on both ends
- D.D) That the SSID is correctly configured on the access points
Why B: The tunnel being active means Phase 1 and Phase 2 of IPsec are established, but traffic still cannot flow because the routers lack routes to the remote subnets. Without a route for 10.0.1.0/24 on the main office router (or 192.168.1.0/24 on the branch router), packets will be dropped or sent out the wrong interface, even though the VPN policy and firewall rules are correct. The engineer must verify that static routes or a dynamic routing protocol (e.g., OSPF over the tunnel) are in place to direct traffic into the IPsec tunnel interface.
Last reviewed: Jun 11, 2026
This N10-009 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the N10-009 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.