exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 104 discussion

A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.

The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.

What should the network engineer do to troubleshoot and correct the issue?

  • A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
  • B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
  • C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
  • D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
lygf
Highly Voted 1 year, 5 months ago
Selected Answer: B
You check Cloudwatch for AWS resources or your native/on-prem logs for your on prem resource. A&D is out. The problem statement indicates that customer gateway is misconfigured. So you need to work on Customer gateway.
upvoted 10 times
...
JaffaDaffa
Highly Voted 1 year, 4 months ago
Selected Answer: B
There are no cloudwatch logs for CGW only for VPN
upvoted 5 times
...
woorkim
Most Recent 3 days, 5 hours ago
b is correct! Reasoning: The problem occurs during VPN tunnel negotiation The customer gateway is receiving incompatible parameters Checking the native logs of the customer gateway will help identify the specific configuration mismatches By restricting the VPN tunnel options to match the customer gateway's supported parameters, the network engineer can resolve the compatibility issue The key steps would be: Review the customer gateway's native logs Identify the specific encryption and negotiation parameters it supports Adjust the VPN configuration to align with those parameters Ensure the configuration allows a secure but compatible connection
upvoted 1 times
...
[Removed]
3 months, 3 weeks ago
Selected Answer: B
If you read the content of s2s logs it does not mention about phase 2 encryption methods used. https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html
upvoted 1 times
...
Blitz1
4 months, 2 weeks ago
Selected Answer: B
funny question...and has nothing to do with technical knowledge but more with english. Where is the problem: on customer vpn router Where to check: on customer router or in Cloudwatch for you own "router".(VPG) D is confusion because is saying " Check Amazon CloudWatch logs of the customer gateway". What you will see in CloudWatch are the logs from your own router (VPG) and not customer logs because customer is not sending logs to Cloudwatch. I would have choose an answer which will say: " Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires. " - but this option is NOT available.
upvoted 1 times
...
Sailor
7 months, 1 week ago
Selected Answer: D
each side logs can determine the problem! , the question even did not ask where to take action!, the problem can be solved by matching the configuration on both sides, which side to change is not the key point ! the question says: The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides. I feel he drive us to change the AWS side as long as the the customer is configured with the " the most secure encryption algorithms" accordingly we should change the AWS side ! this is logic question more than AWS question!!!
upvoted 1 times
...
JoellaLi
8 months ago
Selected Answer: D
Benefits of Site-to-Site VPN logs Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation. https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
upvoted 1 times
...
BGKaZ
9 months ago
Selected Answer: D
Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. >>> https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
upvoted 3 times
...
Marfee400704
9 months, 3 weeks ago
I think that it's correct answer is B according to SPOTO products.
upvoted 1 times
...
drake2020
11 months ago
D is the right answer: the cloudwatch log will show the real issue and then action can be taken https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html TunnelIKEPhase2State VpnLogDetail
upvoted 3 times
...
luisfsm
1 year, 2 months ago
Selected Answer: D
According to these links, it's D: https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/?nc1=h_ls https://aws.amazon.com/vpn/faqs/#:~:text=Q%3A%20What%20logs,best%20effort%20basis.
upvoted 1 times
...
Certified101
1 year, 4 months ago
Selected Answer: D
Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
upvoted 3 times
...
johnconnor
1 year, 4 months ago
It is D, basically no answer on this exam is going to be to check a solution outside AWS. Plus we have this-> https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/
upvoted 2 times
JoellaLi
8 months, 2 weeks ago
Lol Agree with you -basically no answer on this exam is going to be to check a solution outside AWS
upvoted 1 times
...
...
Fukat
1 year, 4 months ago
Selected Answer: B
B We cannot enable Cloudwatch logs on CGW or VGW. It has to be enabled on the VPN Connection. So other options are totally incorrect.
upvoted 2 times
...
DanyelBlood
1 year, 5 months ago
Selected Answer: D
Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.
upvoted 2 times
...
TravelKo
1 year, 5 months ago
Selected Answer: D
Logs are exported to cloudwatch .
upvoted 1 times
...
Training
1 year, 5 months ago
Should be D Benefits of Site-to-Site VPN logs Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.
upvoted 4 times
JoellaLi
8 months, 2 weeks ago
Your link mentions that "Site-to-Site VPN logs can be published to Amazon CloudWatch Logs.". So Site-to-Site VPN logs !== Amazon CloudWatch Logs.
upvoted 1 times
...
Training
1 year, 5 months ago
https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/
upvoted 1 times
Training
1 year, 5 months ago
https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...