A network administrator deployed IKEv2 Cisco AnyConnect on a Cisco ASA. The current configuration tunnels all traffic through the VPN. Users report poor performance with cloud-based applications, but no issues have been reported about connections to on-premises servers. Packet analysis on Cisco Webex traffic shows very few duplicate ACKs, high RTT, and no IP fragments. Which action improves Webex performance for VPN users?

A. Configure QoS on the outside interface of the ASA.

B. Configure Cisco AnyConnect to use DTLS.

C. Configure a dynamic split tunnel exclusion.

D. Reduce the Cisco AnyConnect tunnel MTU.

Refer to the exhibit. An engineer has configured two new VPN tunnels to 172.18.1.1 and 172.19.1.1. However, communication between 10.1.0.10 and 10.1.11.10 does not function. Which action should be taken to resolve this issue?

A. Remove and reapply the crypto map to the interface.

B. Insert routes for the 10.1.9.0/24 and 10.1.10.0/24 subnets.

C. Modify the transform set to use transport mode.

D. Adjust the network objects to match the appropriate subnets.

Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to complete the connection using local credentials. What must be done to remediate this problem?

A. Enable the client protocol in the Cisco AnyConnect profile.

B. Configure a AAA server group to authenticate the client.

C. Change the authentication method to local.

D. Configure the group policy to force local authentication.

Where must an engineer configure a preshared key for a site-to-site VPN tunnel configured on a Cisco ASA?

A. isakmp policy

B. group policy

C. crypto map

D. tunnel group

In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

A. Verify the spoke configuration to check if the NHRP redirect is enabled.

B. Verify that the spoke receives redirect messages and sends resolution requests.

C. Verify the hub configuration to check if the NHRP shortcut is enabled.

D. Verify that the tunnel interface is contained within a VRF.

Which command automatically initiates a smart tunnel when a user logs in to the WebVPN portal page?

A. auto-upgrade

B. auto-connect

C. auto-start

D. auto-run

A router is being configured for IKEv2 AnyConnect using AnyConnect-EAP. How would the administrator separate profiles for administrators and employees so that authorization differs when they connect?

A. Define group aliases on the headend and have the user pick the appropriate alias when they connect

B. Define group-urls on the headend and create two XML profiles to match the administrator and user group urls

C. Create a certificate map and match on the appropriate certificate fields

D. Define key-ids on the headend and create two XML profiles to match the administrator and user key-ids.

A network engineer is setting up Cisco AnyConnect 4.9 on a Cisco ASA running ASA software 9.1. Cisco AnyConnect must connect to the Cisco ASA before the user logs on so that login scripts can work successfully. In addition, the VPN must connect without user intervention. Which two key steps accomplish this task? (Choose two.)

A. Create a Network Access Manager profile with a client policy set to connect before user logon.

B. Create a Cisco AnyConnect VPN profile with Start Before Logon set to true.

C. Issue an identity certificate to the trusted root CA folder in the machine store.

D. Create a Cisco AnyConnect VPN profile with Always On set to true.

E. Create a Cisco Anyconnect VPN Management Tunnel profile.

Which parameter must match on all routers in a DMVPN Phase 3 cloud?

A. GRE tunnel key

B. NHRP network ID

C. tunnel VRF

D. EIGRP split-horizon setting

Refer to the exhibit. A network engineer is reconfiguring clientless SSLVPN during a maintenance window, and after testing the new configuration, is unable to establish the connection. What must be done to remediate this problem?

A. Enable client services on the outside interface.

B. Enable clientless protocol under the group policy.

C. Enable DTLS under the group policy.

D. Enable auto sign-on for the user’s IP address.

When troubleshooting FlexVPN spoke-to-spoke tunnels, what should be verified first?

A. NHRP redirect is enabled on the hub.

B. The spokes have sent a resolution request.

C. NHRP cache entries exist on the spoke.

D. NHO routes exist on the spokes.

Which VPN solution uses TBAR?

A. GETVPN

B. VTI

C. DMVPN

D. Cisco AnyConnect

Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

A. single sign-on

B. Smart Tunnel

C. WebType ACL

D. plug-ins

Refer to the exhibit. Based on this ASDM output, which remote access technologies are allowed on the ASA?

A. SSLAnyConnect VPN

B. IKEv2 and SSL AnyConnect VPN

C. SSL clientless VPN

D. IKEv2 AnyConnect VPN

Which statement about GETVPN is true?

A. The configuration that defines which traffic to encrypt originates from the key server.

B. TEK rekeys can be load-balanced between two key servers operating in COOP.

C. The pseudotime that is used for replay checking is synchronized via NTP.

D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with a L2L IPsec VPN. While troubleshooting, a network security engineer runs a packet tracer on the Cisco ASA to simulate the user traffic and discovers that the encryption counter is increasing but the decryption counter is not. What must be configured to correct this issue?

A. Adjust the routing on the remote peer device to direct traffic back over the tunnel.

B. Adjust the preshared key on the remote peer to allow traffic to flow over the tunnel.

C. Adjust the transform set to allow bidirectional traffic.

D. Adjust the peer IP address on the remote peer to direct traffic back to the ASA.

Refer to the exhibit. Which type of VPN implementation is displayed?

A. IKEv1 cluster

B. IKEv2 backup gateway

C. IKEv2 load balancer

D. IKEv2 reconnect

Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

A. group-url https://172.16.31.10/General enable

B. group-policy General internal

C. authentication aaa

D. authentication certificate

E. group-alias General enable

Refer to the exhibit.
 
Given the output of the show ip route command, which remote access VPN technology is in use?

A. Reverse Route Injection

B. FlexVPN

C. Dynamic Crypto Map

D. DMVPN

DRAG DROP
-
Drag and drop the GET VPN components from the left onto the correct descriptions on the right.
 

A Cisco IOS router is reconfigured to connect to an additional DMVPN hub that is a part of a different DMVPN phase 3 cloud. After this change was made, users begin to experience problems accessing corporate resources over both tunnels. Before the additional tunnel was created, users could access resources over the first tunnel without any issues. Both tunnels terminate on the same interface of the router and use the same IPsec proposals. Which two actions resolve the issue without affecting spoke-to-spoke traffic in either DMVPN cloud? (Choose two.)

A. Enable dead peer detection for both tunnels.

B. Use the same shared IPsec profile for both tunnels.

C. Configure the same NHRP network IDs for both tunnels.

D. Specify the tunnel destination in each tunnel.

E. Assign a unique tunnel key to each tunnel.

Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

A. sequence numbers that enable scalable replay checking

B. enabled use of ESP or AH

C. design for use over public or private WAN

D. no requirement for an overlay routing protocol

When a FlexVPN is configured, which two components must be configured for IKEv2? (Choose two.)

A. method

B. profile

C. proposal

D. preference

E. persistence

Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?

A. SSL AnyConnect

B. IKEv2 AnyConnect

C. crypto map

D. clientless

Refer to the exhibit.
 
A Cisco ASA is configured as a client to a router running as a FlexVPN server. The router is configured with a virtual template to terminate FlexVPN clients. Traffic between networks 192.168.0.0/24 and 172.16.20.0/24 does not work as expected. Based on the show crypto ikev2 sa output collected from the Cisco ASA in the exhibit, what is the solution to this issue?

A. Modify the crypto ACL on the router to permit network 192.168.0.0/24 to network 172.16.20.0/24.

B. Modify the crypto ACL on the ASA to permit network 192.168.0.0/24 to network 172.16.20.0/24.

C. Modify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.168.0.0/24.

D. Modify the crypto ACL on the router to permit network 172.16.20.0/24 to network 192.168.0.0/24.

Which redundancy protocol must be implemented for IPsec stateless failover to work?

A. SSO

B. GLBP

C. HSRP

D. VRRP

Refer to the exhibit. Which VPN technology is used in the exhibit?

A. DVTI

B. VTI

C. DMVPN

D. GRE

Which Diffie Hellman group should be used when ECDH is required in a VPN configuration?

A. 24

B. 19

C. 16

D. 15

Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP Webserver bookmark?

A. The URL is being blocked by a WebACL.

B. The ASA cannot resolve the URL.

C. The bookmark has been disabled.

D. The user cannot access the URL.

Users cannot log in to a Cisco ASA using clientless SSLVPN. Troubleshooting reveals the error message "WebVPN session terminated: Client type not supported". Which step does the administrator take to resolve this issue?

A. Enable the Cisco AnyConnect premium license on the Cisco ASA.

B. Have the user upgrade to a supported browser.

C. Increase the simultaneous logins on the group policy.

D. Enable the clientless VPN protocol on the group policy.

An engineer is troubleshooting a new DMVPN setup on a Cisco IOS router. After the show crypto isakmp sa command is issued, a response is returned of
"MM_NO_STATE." Why does this failure occur?

A. The ISAKMP policy priority values are invalid.

B. ESP traffic is being dropped.

C. The Phase 1 policy does not match on both devices.

D. Tunnel protection is not applied to the DMVPN tunnel.

Which parameter is initially used to elect the primary key server from a group of key servers?

A. code version

B. highest IP address

C. highest-priority value

D. lowest IP address

Which VPN technology must be used to ensure that routers are able to dynamically form connections with each other rather than sending traffic through a hub and be able to advertise routes without the use of a dynamic routing protocol?

A. FlexVPN

B. DMVPN Phase 3

C. DMVPN Phase 2

D. GETVPN

Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

A. *$SecureMobilityClient$*

B. *$AnyConnectClient$*

C. *$RemoteAccessVpnClient$*

D. *$DfltlkeldentityS*

An organization wants to distribute remote access VPN load across 12 VPN headend locations supporting 25,000 simultaneous users. Which load balancing method meets this requirement?

A. one VPN profile per site

B. DNS-based load balancing

C. AnyConnect native load balancing

D. equal cost, multipath load balancing

Refer to the exhibit. DMVPN spoke-to-spoke traffic works, but it passes through the hub, and never sends direct spoke-to-spoke traffic. Based on the tunnel interface configuration shown, what must be configured on the hub to solve the issue?

A. Enable NHRP redirect.

B. Enable split horizon.

C. Enable IP redirects.

D. Enable NHRP shortcut.

Which Cisco AnyConnect component ensures that devices in a specific internal subnet are only accessible using port 443?

A. routing

B. WebACL

C. split tunnel

D. VPN filter

An administrator is designing a VPN with a partner's non-Cisco VPN solution. The partner's VPN device will negotiate an IKEv2 tunnel that will only encrypt subnets 192.168.0.0/24 going to 10.0.0.0/24. Which technology must be used to meet these requirements?

A. VTI

B. crypto map

C. GETVPN

D. DMVPN

A company is setting up a dynamic crypto map on the Cisco ASA at the headquarters to accept connections from the branch offices. There will be no IP subnet overlap between the branch offices, but the engineer does not know which encryption domains will be requested by the branch offices. Additionally, the company security policy states that routing protocol traffic should not leave the HQ network. Which solution should be used to route traffic back to the branches from the Cisco ASA with minimal administrative effort?

A. Configure Reverse Route Injection on the dynamic crypto map.

B. Configure a default route with the tunneled keyword on all branch routers.

C. Configure static routes for remote subnets.

D. Configure snapshot routing with EIGRP to send out of band routing updates.

Which two protocols does DMVPN leverage to build dynamic VPNs to multiple destinations? (Choose two.)

A. IKEv2

B. NHRP

C. mGRE

D. mBGP

E. GDOI

Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?

A. Cisco AnyConnect Client VPN

B. DMVPN

C. Clientless SSLVPN

D. GETVPN

Which configuration allows a Cisco ASA to receive an IPsec connection from a peer with an unknown IP address?

A. dynamic crypto map

B. dynamic tunnel group

C. dynamic AAA attributes

D. dynamic access policy

After a user configures a connection profile with a bookmark list and tests the clientless SSLVPN connection, all of the bookmarks are grayed out. What must be done to correct this behavior?

A. Apply the bookmark to the correct group policy.

B. Specify the correct port for the web server under the bookmark.

C. Configure a DNS server on the Cisco ASA and verify it has a record for the web server.

D. Verify HTTP/HTTPS connectivity between the Cisco ASA and the web server.

A company needs to ensure only corporate issued laptops and devices are allowed to connect with the Cisco AnyConnect client. The solution should be applicable to multiple operating systems, including Windows, MacOS, and Linux, and should allow for remote remediation if a corporate issued device is stolen. Which solution should be used to accomplish these goals?

A. Use a DAP registry check on the system to determine the relationship with the corporate domain.

B. Use a DAP file check on the system to determine the relationship with the corporate domain.

C. Install and authenticate user certificates on the corporate devices.

D. Install and authenticate machine certificates on the corporate devices

Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?

A. Ensure crypto IPsec policy matches on both VPN devices.

B. Install the correct certificate to validate the peer.

C. Correct crypto access list on both VPN devices.

D. Specify the peer IP address in the tunnel group name.

Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

A. group-alias

B. certificate map

C. optimal gateway selection

D. group-url

E. AnyConnect client version

A network engineer must design a remote access solution to allow contractors to access internal servers. These contractors do not have permissions to install applications on their computers. Which VPN solution should be used in this design?

A. IKEv2 AnyConnect

B. Clientless

C. Port forwarding

D. SSL AnyConnect

Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

A. crypto map

B. DMVPN

C. GRE

D. FlexVPN

E. VTI

Refer to the exhibit. Which type of VPN is used in the configuration?

A. GETVPN

B. FlexVPN

C. DMVPN

D. IPSec

Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke
2. Which type of traffic is being blocked?

A. ESP packets from spoke2 to spoke1

B. ISAKMP packets from spoke2 to spoke1

C. ESP packets from spoke1 to spoke2

D. ISAKMP packets from spoke1 to spoke2