Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Cisco Exam 300-440 Topic 5 Question 5 Discussion

Actual exam question for Cisco's 300-440 exam
Question #: 5
Topic #: 5
[All 300-440 Questions]

Refer to the exhibits.

Refer to the exhibit. An engineer successfully brings up the site-to-site VPN tunnel between the remote office and the AWS virtual private gateway, and the site-to-site routing works correctly. However, the end-to-end ping between the office user PC and the AWS EC2 instance is not working. Which two actions diagnose the loss of connectivity? (Choose two.)

Show Suggested Answer Hide Answer
Suggested Answer: B, C

The end-to-end ping between the office user PC and the AWS EC2 instance is not working because either the security group rules for the host VPC are blocking the ICMP traffic or the IPsec SA counters are showing errors or drops. To diagnose the loss of connectivity, the engineer should check both the security group rules and the IPsec SA counters. The network security group rules on the host VNET are not relevant because they apply to Azure, not AWS. The IPsec SA configuration on the Cisco VPN router and the AWS private virtual gateway are not likely to be the cause of the problem because the site-to-site VPN tunnel is already up and the site-to-site routing works correctly.Reference:=

Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3: Configuring IPsec VPN from Cisco IOS XE to AWS, Lesson 3: Verify IPsec VPN Connectivity

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE, Chapter: IPsec VPN Overview, Section: IPsec Security Association

AWS Documentation, User Guide for AWS VPN, Section: Security Groups for Your VPC


Contribute your Thoughts:

Meaghan
6 months ago
I think we should configure the IPsec SA on the Cisco VPN router to allow ping packets.
upvoted 0 times
...
Delmy
6 months ago
We should also check the IPsec SA counters to see if there are any issues there.
upvoted 0 times
...
Yvonne
7 months ago
I agree with Elenor. We need to make sure the rules are not blocking the traffic.
upvoted 0 times
...
Elenor
7 months ago
I think we should check the network security group rules on the host VNET.
upvoted 0 times
...
Isaac
7 months ago
I think we should configure the IPsec SA on the Cisco VPN router to allow ping packets.
upvoted 0 times
...
Kirk
7 months ago
We should also check the IPsec SA counters to see if there are any issues there.
upvoted 0 times
...
Nathalie
7 months ago
I agree with Micheal. We need to make sure the rules are not blocking the traffic.
upvoted 0 times
...
Micheal
7 months ago
I think we should check the network security group rules on the host VNET.
upvoted 0 times
...
Felix
8 months ago
You guys are on the right track. But don't forget to check the AWS private virtual gateway as well. It could be an issue with the configuration there, not just the Cisco router. We need to cover all our bases.
upvoted 0 times
...
Maryann
8 months ago
Hmm, I'm leaning towards checking the security group rules first. That seems like the most logical step. I mean, the VPN tunnel is up, so the issue has to be somewhere in the network security.
upvoted 0 times
...
Youlanda
8 months ago
I agree, the security group rules are a good place to start. But we should also check the IPsec SA counters to see if there are any issues with the VPN tunnel itself. And we might need to configure the IPsec SA to allow ping packets on either the Cisco VPN router or the AWS private virtual gateway.
upvoted 0 times
Lawana
7 months ago
B) Check the security group rules for the host VPC.
upvoted 0 times
...
Lindy
8 months ago
Agreed, configuring the IPsec SA to allow ping packets on the gateway could help resolve the ping issue.
upvoted 0 times
...
Lemuel
8 months ago
E) On the AWS private virtual gateway, configure the IPsec SA to allow ping packets.
upvoted 0 times
...
Vernell
8 months ago
Yes, checking the IPsec SA counters is important to diagnose any tunnel issues.
upvoted 0 times
...
Sanjuana
8 months ago
D) On the Cisco VPN router, configure the IPsec SA to allow ping packets.
upvoted 0 times
...
Sue
8 months ago
C) Check the IPsec SA counters.
upvoted 0 times
...
Lai
8 months ago
A) Check the network security group rules on the host VNET.
upvoted 0 times
...
...
Lelia
8 months ago
This seems like a tricky question. The site-to-site VPN tunnel is working, but the end-to-end ping is not. I'm thinking we need to look at the security group rules on both the host VNET and the VPC. Might be an issue with the ICMP protocol not being allowed.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77