Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Cisco Exam 300-440 Topic 5 Question 5 Discussion

Actual exam question for Cisco's 300-440 exam
Question #: 5
Topic #: 5
[All 300-440 Questions]

Refer to the exhibits.

Refer to the exhibit. An engineer successfully brings up the site-to-site VPN tunnel between the remote office and the AWS virtual private gateway, and the site-to-site routing works correctly. However, the end-to-end ping between the office user PC and the AWS EC2 instance is not working. Which two actions diagnose the loss of connectivity? (Choose two.)

Show Suggested Answer Hide Answer
Suggested Answer: B, C

The end-to-end ping between the office user PC and the AWS EC2 instance is not working because either the security group rules for the host VPC are blocking the ICMP traffic or the IPsec SA counters are showing errors or drops. To diagnose the loss of connectivity, the engineer should check both the security group rules and the IPsec SA counters. The network security group rules on the host VNET are not relevant because they apply to Azure, not AWS. The IPsec SA configuration on the Cisco VPN router and the AWS private virtual gateway are not likely to be the cause of the problem because the site-to-site VPN tunnel is already up and the site-to-site routing works correctly.Reference:=

Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3: Configuring IPsec VPN from Cisco IOS XE to AWS, Lesson 3: Verify IPsec VPN Connectivity

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE, Chapter: IPsec VPN Overview, Section: IPsec Security Association

AWS Documentation, User Guide for AWS VPN, Section: Security Groups for Your VPC


by Helene at Mar 10, 2024, 12:38 AM

Limited Time Offer

25%

Off

Get Premium 300-440 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Felix
3 days ago
You guys are on the right track. But don't forget to check the AWS private virtual gateway as well. It could be an issue with the configuration there, not just the Cisco router. We need to cover all our bases.
upvoted 0 times
...
Maryann
4 days ago
Hmm, I'm leaning towards checking the security group rules first. That seems like the most logical step. I mean, the VPN tunnel is up, so the issue has to be somewhere in the network security.
upvoted 0 times
...
Youlanda
5 days ago
I agree, the security group rules are a good place to start. But we should also check the IPsec SA counters to see if there are any issues with the VPN tunnel itself. And we might need to configure the IPsec SA to allow ping packets on either the Cisco VPN router or the AWS private virtual gateway.
upvoted 0 times
...
Lelia
6 days ago
This seems like a tricky question. The site-to-site VPN tunnel is working, but the end-to-end ping is not. I'm thinking we need to look at the security group rules on both the host VNET and the VPC. Might be an issue with the ICMP protocol not being allowed.
upvoted 0 times
...

Save Cancel