An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
A.
Add a Security policy to allow UDP/500.
B.
Add a Security policy to allow the IKE application.
C.
Add a Security policy to allow the IPSec application.
Looks like should be C according to below
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0
The ipsec application contains the following sub-apps:
ike
ipsec-ah
ipsec-esp
ipsec-esp-udp(NAT-T)
The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.
A: Add a Security policy to allow UDP/500 - will not work as stated from others when NAT-T is enabled it will also use UDP4500
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
"To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode."
B: Add a Security policy to allow the IKE application. - will not work as per the above
D:Add a Security policy to allow UDP/4501 - will not work as per the above
C: Add a Security policy to allow the IPSec application. - having checked on PANOS 10.2 the IPSec application has 4 sub(?) applications
- ike (Standard Ports: tcp/500, udp/500)
- ipsec-ah (Standard Ports: IP Protocol 51)
- ipsec-esp (Standard Ports: IP Protocol 50)
- ipsec-esp-udp (Standard Ports: udp/4500, udp/4501)
Phase 1 - IKE
Phase 2 - IPSec
If IKE traffic is being dropped that means Phase 1 is not coming up and you have bigger problems. At this point no need to even troubleshoot Phase 2 - IPSec.
In Objects > Applications it can be seen that ike app uses tcp/500 and/or udp/500 and that it doesn't depend on any other app (for example ipsec). Since PA is always recommending to use app ID I would choose B.
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MrR0bot
Highly Voted 2 years, 3 months agoRowdy_47
Highly Voted 2 years, 2 months agoRowdy_47
2 months, 1 week agoMocix
1 year, 4 months agoPacheco
1 year, 2 months agom70855712
Most Recent 2 months, 3 weeks agoCro13
7 months, 2 weeks agoali_sh85
9 months, 1 week agoali_sh85
9 months, 2 weeks agonolox
10 months, 3 weeks agoMarshpillowz
1 year, 2 months agoJRKhan
1 year, 3 months agoMetgatz
1 year, 4 months agoMetgatz
1 year, 4 months agosov4
1 year, 9 months agojhoncena
2 years agokewokil120
2 years, 1 month agoRowdy_47
2 years, 2 months agoTheIronSheik
2 years, 2 months agoGohanF2
2 years, 2 months ago