Refer to the exhibit.
 
An engineer must allow Cisco AnyConnect users to access the outside interface using protocol UDP 500/4500. In addition, these clients must be able to establish an SSL connection to update Cisco AnyConnect software over the same connection. Which two actions must be taken to achieve this goal? (Choose two.)

A. IPsec (IKEv2) Allow Access must be checked on the outside interface.

B. SSL Enable DTLS must be checked on the outside interface.

C. Bypass interface access lists for inbound VPN sessions must be unchecked.

D. IPsec (IKEv2) Enable Client Services must be checked on the outside interface.

E. SSL Allow Access must be checked on the outside interface.

Which VPN solution uses TBAR?

A. GETVPN

B. VTI

C. DMVPN

D. Cisco AnyConnect

Which technology is used to send multicast traffic over a site-to-site VPN?

A. GRE over IPsec on IOS router

B. GRE over IPsec on FTD

C. IPsec tunnel on FTD

D. GRE tunnel on ASA

Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?

A. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.

B. Add the match fvrf any command to the IKEv2 policy.

C. Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration.

D. Add the tunnel mode gre ip command to the tunnel configuration.

A network engineer is installing Cisco AnyConnect on company laptops so that users can access corporate resources remotely. The VPN concentrator is a Cisco router running IOS-XE 16.9.1 code and configured as a FlexVPN server that uses local authentication and *$Cisc431089017$* as the key-id for the IKEv2 profile. Which two steps must be taken on the computer to allow a successful AnyConnect connection to the router? (Choose two.)

A. In the Cisco AnyConnect XML profile, set the IPsec Authentication method to EAP-AnyConnect.

B. In the Cisco AnyConnect XML profile, add the hostname and host address to the server list.

C. In the Cisco AnyConnect XML profile, set the user group field to DefaultAnyConnectClientGroup.

D. In the Cisco AnyConnect Local Policy, set the BypassDownloader option in the local to true.

E. In the Cisco AnyConnect Local Policy, add the router IP address to the Update Policy.

A network engineer must configure the Cisco ASA so that Cisco AnyConnect clients establishing an SSL VPN connection create an additional tunnel for real-time traffic that is sensitive to packet delays. If this additional tunnel experiences any issues, it must fall back to a TLS connection. Which two Cisco AnyConnect features must be configured to accomplish this task? (Choose two.)

A. DTLS

B. DSCP Preservation

C. DPD

D. SSL Rekey

E. OMTU

A network engineer is setting up a clientless SSLVPN on a Cisco ASA. Remote users must be able to access an internal webserver via the URL example.com. Which two steps accomplish this task? (Choose two.)

A. Configure a bookmark for the webserver.

B. Configure routing so that the user’s computer can reach the webserver.

C. Configure a DNS server that can resolve the webserver URL.

D. Configure a browser plugin on the Cisco ASA.

E. Configure routing so that the Cisco ASA can reach the webserver.

Refer to the exhibit.
 
A TCP based application that should be accessible over the VPN tunnel is not working. Pings to the appropriate IP address are failing. Based on the output, what is a fix for this issue?

A. Add a route on the remote peer for 209.165.201.0/27.

B. Add a route on the local peer for 10.1.1.0/24.

C. Add a permit for TCP traffic going to 10.1.1.0/24.

D. Add a permit for TCP traffic going to 209.165.201.0/27.

Refer to the exhibit.
 
Based on the configuration output, what is the VPN technology?

A. site-to-site

B. DMVPN

C. L2VPN

D. multicast VPN

Which statement about GETVPN is true?

A. The configuration that defines which traffic to encrypt originates from the key server.

B. TEK rekeys can be load-balanced between two key servers operating in COOP.

C. The pseudotime that is used for replay checking is synchronized via NTP.

D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

A network engineer has almost finished setting up a clientless VPN that allows remote users to access internal HTTP servers. Users must enter their username and password twice: once on the clientless VPN web portal and again to log in to internal HTTP servers. The Cisco ASA and the HTTP servers use the same Active Directory server to authenticate users. Which next step must be taken to allow users to enter their password only once?

A. Use LDAPS and add password management to the clientless tunnel group.

B. Configure auto-sign-on using NTLM authentication.

C. Set up the Cisco ASA to authenticate users via a SAML 2.0 IDP.

D. Create smart tunnels for the HTTP servers.

A router is being configured for IKEv2 AnyConnect using AnyConnect-EAP. How would the administrator separate profiles for administrators and employees so that authorization differs when they connect?

A. Define group aliases on the headend and have the user pick the appropriate alias when they connect

B. Define group-urls on the headend and create two XML profiles to match the administrator and user group urls

C. Create a certificate map and match on the appropriate certificate fields

D. Define key-ids on the headend and create two XML profiles to match the administrator and user key-ids.

A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

A. Endpoint Assessment

B. Cisco Secure Desktop

C. Basic Host Scan

D. Advanced Endpoint Assessment

An administrator must guarantee that remote access users are able to reach printers on their local LAN after a VPN session is established to the headquarters. All other traffic should be sent over the tunnel. Which split-tunnel policy reduces the configuration on the ASA headend?

A. include specified

B. exclude specified

C. tunnel specified

D. dynamic exclude

Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN from coming up?

A. interesting traffic

B. lifetime

C. preshared key

D. PFS

Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?

A. SSL AnyConnect

B. IKEv2 AnyConnect

C. crypto map

D. clientless

Refer to the exhibit. Which type of VPN is being configured, based on the partial configuration snippet?

A. GET VPN with COOP key server

B. GET VPN with dual group member

C. FlexVPN load balancer

D. FlexVPN backup gateway

Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

A. dns-server value 10.1.1.2

B. same-security-traffic permit intra-interface

C. same-security-traffic permit inter-interface

D. dns-server value 10.1.1.3

A network engineer is configuring a server. The router will terminate encrypted VPN connections on g0/0, which is in the VRF "Internet". The clear-text traffic that must be encrypted before being sent out traverses g0/1, which is in the VRF "Internal". Which two VRF-specific configurations allow VPN traffic to traverse the VRF-aware interfaces? (Choose two.)

A. Under the IKEv2 profile, add the ivrf Internal command.

B. Under the virtual-template interface, add the ip vrf forwarding Internet command.

C. Under the IKEv2 profile, add the match fvrf Internal command.

D. Under the IKEv2 profile, add the match fvrf Internet command.

E. Under the virtual-template interface, add the tunnel vrf Internet command.

A network engineer must expand a company's Cisco AnyConnect solution. Currently, a Cisco ASA is set up in North America and another will be installed in Europe with a different IP address. Users should connect to the ASA that has the lowest Round Trip Time from their network location as measured by the AnyConnect client. Which solution must be implemented to meet this requirement?

A. VPN Load Balancing

B. IP SLA

C. DNS Load Balancing

D. Optimal Gateway Selection

Which feature must be disabled in EIGRP for DMVPN spokes to learn routes to other DMVPN spokes?

A. split-horizon

B. bandwidth percent

C. next-hop-self

D. hold time

Refer to the exhibit.
 
Which component must be configured on routers for a GETVPN deployment work properly?

A. PE3: Key Server – Customer 2 CEs: Group Members

B. Customer 1 CE1: Key Server – R1 and Customer 1 CE2: Group Members

C. R1: Key Server – Customer 1 CEs: Group Members

D. PE3: Key Server – all CEs: Group Members

When troubleshooting FlexVPN spoke-to-spoke tunnels, what should be verified first?

A. NHRP redirect is enabled on the hub.

B. The spokes have sent a resolution request.

C. NHRP cache entries exist on the spoke.

D. NHO routes exist on the spokes.

Which remote access VPN technology requires the use of the IPsec-proposal configuration option?

A. clientless SSLVPN

B. SSLVPN Full Tunnel

C. IKEv2-based VPN

D. IKEv1-based VPN

Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS router?

A. svc import profile SSL_profile flash:simos-profile.xml

B. anyconnect profile SSL_profile flash:simos-profile.xml

C. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml

D. webvpn import profile SSL_profile flash:simos-profile.xml

Which two components are required in a Cisco IOS GETVPN key server configuration? (Choose two.)

A. RSA key

B. IKE policy

C. SSL cipher

D. GRE tunnel

E. L2TP protocol

Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

A. sequence numbers that enable scalable replay checking

B. enabled use of ESP or AH

C. design for use over public or private WAN

D. no requirement for an overlay routing protocol

Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)

A. AnyConnect Auto Reconnect

B. AnyConnect Network Access Manager

C. AnyConnect Backup Servers

D. ASA failover

E. AnyConnect Always On

Which Diffie Hellman group should be used when ECDH is required in a VPN configuration?

A. 24

B. 19

C. 16

D. 15

Refer to the exhibit. Cisco AnyConnect must be set up on a router to allow users to access internal servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC. Which command accomplishes this configuration?

A. svc split include 192.168.0.0 255.255.255.0

B. svc split exclude 192.168.0.0 255.255.255.0

C. svc split include acl CCNP

D. svc split exclude acl CCNP

Users are getting untrusted server warnings when they connect to the URL https://asa.lab from their browsers. This URL resolves to 192.168.10.10, which is the IP address for a Cisco ASA configured for a clientless VPN. The VPN was recently set up and issued a certificate from an internal CA server. Users can connect to the VPN by ignoring the message, however, when users access other webservers that use certificates issued by the same internal CA server, they do not experience this issue. Which action resolves this issue?

A. Import the CA that signed the certificate into the machine trusted root CA store.

B. Reissue the certificate with asa.lab in the subject alternative name field.

C. Import the CA that signed the certificate into the user trusted root CA store.

D. Reissue the certificate with 192.168.10.10 in the subject common name field.

Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

A. group-alias

B. certificate map

C. optimal gateway selection

D. group-url

E. AnyConnect client version

Which command must be configured on the tunnel interface of a FlexVPN spoke to receive a dynamic IP address from the hub?

A. ip address negotiated

B. ip unnumbered

C. ip address dhcp

D. ip address pool

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with a L2L IPsec VPN. While troubleshooting, a network security engineer runs a packet tracer on the Cisco ASA to simulate the user traffic and discovers that the encryption counter is increasing but the decryption counter is not. What must be configured to correct this issue?

A. Adjust the routing on the remote peer device to direct traffic back over the tunnel.

B. Adjust the preshared key on the remote peer to allow traffic to flow over the tunnel.

C. Adjust the transform set to allow bidirectional traffic.

D. Adjust the peer IP address on the remote peer to direct traffic back to the ASA.

An administrator is setting up a VPN on an ASA for users who need to access an internal RDP server. Due to security restrictions, the Microsoft RDP client is blocked from running on client workstations via Group Policy. Which VPN feature should be implemented by the administrator to allow these users to have access to the RDP server?

A. clientless proxy

B. smart tunneling

C. clientless plug-in

D. clientless rewriter

Refer to the exhibit. Which action must be taken on the IPsec tunnel configuration to resolve the issue?

A. The access lists on each peer must mirror each other.

B. The transform set on each peer must match.

C. The access lists on each peer must be identical.

D. The transform set on each peer must be compatible.

An administrator is setting up AnyConnect for the first time for a few users. Currently, the router does not have access to a RADIUS server. Which AnyConnect protocol must be used to allow users to authenticate?

A. EAP-GTC

B. EAP-MSCHAPv2

C. EAP-MD5

D. EAP-AnyConnect

An administrator is setting up Cisco AnyConnect on a Cisco ASA with the requirement that AnyConnect automatically establishes a VPN when a company-owned laptop is connected to the internet outside of the corporate network. Which configuration meets these requirements?

A. SBL with user certificate authentication

B. TND with machine certificate authentication

C. SBL with machine certificate authentication

D. TND with user certificate authentication

Refer to the exhibit. An engineer is diagnosing an issue that occurred after a router at a branch site was assigned a new address. Based on the debugs, what must be done to resolve this issue?

A. Add the remote peer’s IP address to the server’s IKEv2 keyring.

B. Ensure that the correct preshared keys are set on both sides.

C. Ensure that the UDP 500 packets between devices are not dropped.

D. Add the remote peer’s identity to the server’s IKEv2 profile.

On an ASA with multiple connection profiles for different departments, what is the best design to ensure that AnyConnect users are assigned the correct connection profile based on their department and do not have the ability to choose a different connection profile?

A. group URL

B. group alias

C. dynamic access policy

D. certificate mapping

Which parameter must match on all routers in a DMVPN Phase 3 cloud?

A. GRE tunnel key

B. NHRP network ID

C. tunnel VRF

D. EIGRP split-horizon setting

Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

A. Reduce the maximum SA limit on the local Cisco ASA.

B. Increase the maximum in-negotiation SA limit on the local Cisco ASA.

C. Remove the maximum SA limit on the remote Cisco ASA.

D. Correct the crypto access list on both Cisco ASA devices.

An engineer must configure remote desktop connectivity for offsite admins via clientless SSL VPN, configured on a Cisco ASA to Windows Vista workstations.
Which two configurations provide the requested access? (Choose two.)

A. Telnet bookmark via the Telnet plugin

B. RDP2 bookmark via the RDP2 plugin

C. VNC bookmark via the VNC plugin

D. Citrix bookmark via the ICA plugin

E. SSH bookmark via the SSH plugin

What is a characteristic of GETVPN?

A. An ACL that defines interesting traffic must be configured and applied to the crypto map.

B. Quick mode is used to create an IPsec SA.

C. The remote peer for the IPsec session is configured as part of the crypto map.

D. All peers have one IPsec SPI for inbound and outbound communication.

Refer to the exhibit. Which VPN technology is used in the exhibit?

A. DVTI

B. VTI

C. DMVPN

D. GRE

What are two advantages of using GETVPN to traverse over the network between corporate offices? (Choose two.)

A. It has unique session keys for improved security.

B. It supports multicast.

C. It has QoS support.

D. It is a highly scalable any to any mesh topology.

E. It supports a hub-and-spoke topology.

Refer to the exhibit.
 
Given the output of the show ip route command, which remote access VPN technology is in use?

A. Reverse Route Injection

B. FlexVPN

C. Dynamic Crypto Map

D. DMVPN

A user is experiencing delays on audio calls over a Cisco AnyConnect VPN. Which implementation step resolves this issue?

A. Change to 3DES Encryption.

B. Shorten the encryption key lifetime.

C. Install the Cisco AnyConnect 2.3 client for the user to download.

D. Enable DTLS.

Why must a network engineer avoid usage of the default X.509 certificate when implementing clientless SSLVPN on an ASA?

A. The certificate must be managed by the local CA.

B. The certificate is regenerated at each reboot.

C. The default X.509 certificate is not supported for SSLVPN.

D. The certificate is too weak to provide adequate security.

What are two purposes of the key server in Cisco IOS GETVPN? (Choose two.)

A. to download encryption keys

B. to maintain encryption policies

C. to distribute routing information

D. to encrypt data traffic

E. to authenticate group members