Refer to the exhibit. Which type of VPN is used?

A. GETVPN

B. clientless SSL VPN

C. Cisco Easy VPN

D. Cisco AnyConnect SSL VPN

A Cisco IOS router is reconfigured to connect to an additional DMVPN hub that is a part of a different DMVPN phase 3 cloud. After this change was made, users begin to experience problems accessing corporate resources over both tunnels. Before the additional tunnel was created, users could access resources over the first tunnel without any issues. Both tunnels terminate on the same interface of the router and use the same IPsec proposals. Which two actions resolve the issue without affecting spoke-to-spoke traffic in either DMVPN cloud? (Choose two.)

A. Enable dead peer detection for both tunnels.

B. Use the same shared IPsec profile for both tunnels.

C. Configure the same NHRP network IDs for both tunnels.

D. Specify the tunnel destination in each tunnel.

E. Assign a unique tunnel key to each tunnel.

Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)

A. AnyConnect Auto Reconnect

B. AnyConnect Network Access Manager

C. AnyConnect Backup Servers

D. ASA failover

E. AnyConnect Always On

What are two advantages of using GETVPN to traverse over the network between corporate offices? (Choose two.)

A. It has unique session keys for improved security.

B. It supports multicast.

C. It has QoS support.

D. It is a highly scalable any to any mesh topology.

E. It supports a hub-and-spoke topology.

Refer to the exhibit. The network security engineer identified that the hub router cannot send traffic to the spoke router. Based on the provided output, which action resolves the issue?

A. Permit UDP ports 500 and 4500 between the hub and spoke.

B. Correct the next hop server IP address on the spoke router.

C. Ensure the preshared key on the hub-and-spoke router matches.

D. Adjust the ip nhrp network-id command on the hub router.

Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

A. dns-server value 10.1.1.2

B. same-security-traffic permit intra-interface

C. same-security-traffic permit inter-interface

D. dns-server value 10.1.1.3

An administrator is setting up Cisco AnyConnect on a Cisco ASA with the requirement that AnyConnect automatically establishes a VPN when a company-owned laptop is connected to the internet outside of the corporate network. Which configuration meets these requirements?

A. SBL with user certificate authentication

B. TND with machine certificate authentication

C. SBL with machine certificate authentication

D. TND with user certificate authentication

An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. What must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

A. tunnel group lock

B. smart tunnel

C. port forwarding

D. webtype ACL

Which command is used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

A. show crypto ikev2 sa

B. show crypto isakmp sa

C. show crypto gkm

D. show crypto identity

Refer to the exhibit. DMVPN spoke-to-spoke traffic works, but it passes through the hub, and never sends direct spoke-to-spoke traffic. Based on the tunnel interface configuration shown, what must be configured on the hub to solve the issue?

A. Enable NHRP redirect.

B. Enable split horizon.

C. Enable IP redirects.

D. Enable NHRP shortcut.

A DMVPN spoke router tunnel is up and passing traffic, but it cannot establish an EIGRP neighbor relationship with the hub router. Which solution resolves this issue?

A. Enable EIGRP Split Horizon on the hub tunnel interface.

B. Remove the EIGRP stub configuration on the spoke tunnel interface.

C. Enable the EIGRP next hop self feature on the hub tunnel interface.

D. Configure the dynamic NHRP multicast map on the hub tunnel interface.

What must be configured in a FlexVPN deployment to allow for direct communication between spokes connected to different hubs?

A. EIGRP must be used as routing protocol.

B. Hub routers must be on same Layer 2 network.

C. Load balancing must be disabled.

D. A GRE tunnel must exist between hub routers.

Where must an engineer configure a preshared key for a site-to-site VPN tunnel configured on a Cisco ASA?

A. isakmp policy

B. group policy

C. crypto map

D. tunnel group

What are two differences between ECC and RSA? (Choose two.)

A. Key generation in ECC is slower and more CPU intensive than RSA.

B. ECC can have the same security as RSA but with a shorter key size.

C. ECC cannot have the same security as RSA, even with an increased key size.

D. Key generation in ECC is faster and less CPU intensive than RSA.

E. ECC lags in performance when compared with RSA.

Which two NHRP functions are specific to DMVPN Phase 3 implementation? (Choose two.)

A. registration reply

B. redirect

C. resolution reply

D. registration request

E. resolution request

A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

A. Endpoint Assessment

B. Cisco Secure Desktop

C. Basic Host Scan

D. Advanced Endpoint Assessment

Which configuration construct must be used in a FlexVPN tunnel?

A. EAP configuration

B. multipoint GRE tunnel interface

C. IKEv1 policy

D. IKEv2 profile

A network engineer is implementing a FlexVPN tunnel between two Cisco IOS routers. The FlexVPN tunnels will terminate on encrypted traffic on an interface configured with an IP MTU of 1500, and the company has a security policy to drop fragmented traffic coming into or leaving the network. The tunnel will be used to transfer TFTP data between users and internal servers. When the TFTP traffic is not traversing a VPN, it can have a maximum IP packet size of 1500. Assuming the encrypted payload will add 90 bytes, which configuration allows TFTP traffic to traverse the FlexVPN tunnel without being dropped?

A. Set the tunnel IP MTU to 1500.

B. Set the tunnel tcp adjust-mss to 1460.

C. Set the tunnel IP MTU to 1400.

D. Set the tunnel tcp adjust-mss to 1360.

Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two actions resolve this issue? (Choose two.)

A. Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1.

B. Change the transform set to mode tunnel.

C. Change the ISAKMP policy authentication on the spoke to pre-shared.

D. Change the ISAKMP key address on the spoke to 0.0.0.0.

E. Change the nhrp authentication key on the spoke to cisco123.

What are two purposes of the key server in Cisco IOS GETVPN? (Choose two.)

A. to download encryption keys

B. to maintain encryption policies

C. to distribute routing information

D. to encrypt data traffic

E. to authenticate group members

Which two components are required in a Cisco IOS GETVPN key server configuration? (Choose two.)

A. RSA key

B. IKE policy

C. SSL cipher

D. GRE tunnel

E. L2TP protocol

An administrator must guarantee that remote access users are able to reach printers on their local LAN after a VPN session is established to the headquarters. All other traffic should be sent over the tunnel. Which split-tunnel policy reduces the configuration on the ASA headend?

A. include specified

B. exclude specified

C. tunnel specified

D. dynamic exclude

A user at a company HQ is having trouble accessing a network share at a branch site that is connected with a L2L IPsec VPN. While troubleshooting, a network security engineer runs a packet tracer on the Cisco ASA to simulate the user traffic and discovers that the encryption counter is increasing but the decryption counter is not. What must be configured to correct this issue?

A. Adjust the routing on the remote peer device to direct traffic back over the tunnel.

B. Adjust the preshared key on the remote peer to allow traffic to flow over the tunnel.

C. Adjust the transform set to allow bidirectional traffic.

D. Adjust the peer IP address on the remote peer to direct traffic back to the ASA.

Which feature allows a DMVPN Phase 3 spoke to switch to an alternate hub when the primary hub is unreachable?

A. multicast PIM

B. backup NHS

C. per-tunnel jitter probes

D. NHRP shortcut

An engineer has successfully established a Phase 1 and Phase 2 tunnel between two sites. Site A has internal subnet 192.168.0.0/24 and Site B has internal subnet 10.0.0.0/24. The engineer notices that no packets are decrypted at Site B. Pings to 192.168.0.1 from internal Site B devices make it to the Site B router, and the Site A router has incrementing encrypt and decrypt counters. What must be done to ensure bidirectional communication between both sites?

A. Modify the routing at Site B so that traffic is sent to Site A.

B. Configure the correct DH group on both devices.

C. Allow protocol ESP or AH on the firewall in front of the Site B router.

D. Enable PFS on the headend device.

Which two remote access VPN solutions support SSL? (Choose two.)

A. FlexVPN

B. clientless

C. EZVPN

D. L2TP

E. Cisco AnyConnect

Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?

A. Ensure crypto IPsec policy matches on both VPN devices.

B. Install the correct certificate to validate the peer.

C. Correct crypto access list on both VPN devices.

D. Specify the peer IP address in the tunnel group name.

Which method dynamically installs the network routes for remote tunnel endpoints?

A. policy-based routing

B. CEF

C. reverse route injection

D. route filtering

A network engineer has almost finished setting up a clientless VPN that allows remote users to access internal HTTP servers. Users must enter their username and password twice: once on the clientless VPN web portal and again to log in to internal HTTP servers. The Cisco ASA and the HTTP servers use the same Active Directory server to authenticate users. Which next step must be taken to allow users to enter their password only once?

A. Use LDAPS and add password management to the clientless tunnel group.

B. Configure auto-sign-on using NTLM authentication.

C. Set up the Cisco ASA to authenticate users via a SAML 2.0 IDP.

D. Create smart tunnels for the HTTP servers.

Users are getting untrusted server warnings when they connect to the URL https://asa.lab from their browsers. This URL resolves to 192.168.10.10, which is the IP address for a Cisco ASA configured for a clientless VPN. The VPN was recently set up and issued a certificate from an internal CA server. Users can connect to the VPN by ignoring the message, however, when users access other webservers that use certificates issued by the same internal CA server, they do not experience this issue. Which action resolves this issue?

A. Import the CA that signed the certificate into the machine trusted root CA store.

B. Reissue the certificate with asa.lab in the subject alternative name field.

C. Import the CA that signed the certificate into the user trusted root CA store.

D. Reissue the certificate with 192.168.10.10 in the subject common name field.

An engineer is implementing a failover solution for a FlexVPN client site where ESP traffic to the primary FlexVPN server is blocked intermittently after tunnel establishment. This issue causes users at the branch site to lose access to the corporate network. The solution must quickly establish a tunnel and send traffic to the secondary FlexVPN server only during a failover event. Which action must the engineer take to implement this solution?

A. Create one tunnel with peer statements to each server and use Dead Peer Detection to track the status or the primary server.

B. Create two tunnels for each FlexVPN server and use the tunnel keepalive command to track the status of each FlexVPN server.

C. Create one tunnel with peer statements to each server and use object tracking to track the status of the primary server.

D. Create two tunnels for each FlexVPN server and use a dynamic routing protocol to track the status or each FlexVPN server.

Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?

A. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.

B. Add the match fvrf any command to the IKEv2 policy.

C. Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration.

D. Add the tunnel mode gre ip command to the tunnel configuration.

An administrator is designing a VPN with a partner's non-Cisco VPN solution. The partner's VPN device will negotiate an IKEv2 tunnel that will only encrypt subnets 192.168.0.0/24 going to 10.0.0.0/24. Which technology must be used to meet these requirements?

A. VTI

B. crypto map

C. GETVPN

D. DMVPN

Refer to the exhibit.
 
A TCP based application that should be accessible over the VPN tunnel is not working. Pings to the appropriate IP address are failing. Based on the output, what is a fix for this issue?

A. Add a route on the remote peer for 209.165.201.0/27.

B. Add a route on the local peer for 10.1.1.0/24.

C. Add a permit for TCP traffic going to 10.1.1.0/24.

D. Add a permit for TCP traffic going to 209.165.201.0/27.

A network engineer has set up a FlexVPN server to terminate multiple FlexVPN clients. The VPN tunnels are established without issue. However, when a Change of Authorization is issued by the RADIUS server, the FlexVPN server does not update the authorization of connected FlexVPN clients. Which action resolves this issue?

A. Add the aaa server radius dynamic-author command on the FlexVPN clients.

B. Fix the RADIUS key mismatch between the RADIUS server and FlexVPN server.

C. Add the aaa server radius dynamic-author command on the FlexVPN server.

D. Fix the RADIUS key mismatch between the RADIUS server and FlexVPN clients.

Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke
2. Which type of traffic is being blocked?

A. ESP packets from spoke2 to spoke1

B. ISAKMP packets from spoke2 to spoke1

C. ESP packets from spoke1 to spoke2

D. ISAKMP packets from spoke1 to spoke2

Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.

B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.

C. A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.

D. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.

E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Which VPN does VPN load balancing on the ASA support?

A. VTI

B. IPsec site-to-site tunnels

C. L2TP over IPsec

D. Cisco AnyConnect

Refer to the exhibit. A network administrator is setting up Cisco AnyConnect on an ASA headend. When users attempt to connect to the VPN, they are presented with this message. The administrator has replaced the ASA's self-signed certificate with a certificate enrolled with the internal CA and has confirmed that the certificate is not revoked. Which two tasks will the administrator need to do to prevent users from seeing this message? (Choose two.)

A. Trust the issuing CA for the ASA identity certificate on the user’s PC.

B. Enroll and import an SSL certificate with the CN value example.cisco.com on the ASA.

C. Add the CN example.cisco.com to the AnyConnect XML certificate matching section.

D. Enable certificate authentication under the connection profile.

E. Add example.cisco.com to the server name list within the AnyConnect Local Policy.

Which technology is used to send multicast traffic over a site-to-site VPN?

A. GRE over IPsec on IOS router

B. GRE over IPsec on FTD

C. IPsec tunnel on FTD

D. GRE tunnel on ASA

Refer to the exhibit. Cisco AnyConnect must be set up on a router to allow users to access internal servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC. Which command accomplishes this configuration?

A. svc split include 192.168.0.0 255.255.255.0

B. svc split exclude 192.168.0.0 255.255.255.0

C. svc split include acl CCNP

D. svc split exclude acl CCNP

Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2 configuration? (Choose two.)

A. Next-hop-self is required.

B. EIGRP neighbor adjacency will fail.

C. EIGRP is used as the dynamic routing protocol.

D. EIGRP route redistribution is not allowed.

E. Spoke-to-spoke communication is allowed.

When troubleshooting FlexVPN spoke-to-spoke tunnels, what should be verified first?

A. NHRP redirect is enabled on the hub.

B. The spokes have sent a resolution request.

C. NHRP cache entries exist on the spoke.

D. NHO routes exist on the spokes.

Which parameter is initially used to elect the primary key server from a group of key servers?

A. code version

B. highest IP address

C. highest-priority value

D. lowest IP address

Refer to the exhibit. A network engineer is reconfiguring clientless SSLVPN during a maintenance window, and after testing the new configuration, is unable to establish the connection. What must be done to remediate this problem?

A. Enable client services on the outside interface.

B. Enable clientless protocol under the group policy.

C. Enable DTLS under the group policy.

D. Enable auto sign-on for the user’s IP address.

Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

A. single sign-on

B. Smart Tunnel

C. WebType ACL

D. plug-ins

A network administrator deployed IKEv2 Cisco AnyConnect on a Cisco ASA. The current configuration tunnels all traffic through the VPN. Users report poor performance with cloud-based applications, but no issues have been reported about connections to on-premises servers. Packet analysis on Cisco Webex traffic shows very few duplicate ACKs, high RTT, and no IP fragments. Which action improves Webex performance for VPN users?

A. Configure QoS on the outside interface of the ASA.

B. Configure Cisco AnyConnect to use DTLS.

C. Configure a dynamic split tunnel exclusion.

D. Reduce the Cisco AnyConnect tunnel MTU.

What is a characteristic of GETVPN?

A. An ACL that defines interesting traffic must be configured and applied to the crypto map.

B. Quick mode is used to create an IPsec SA.

C. The remote peer for the IPsec session is configured as part of the crypto map.

D. All peers have one IPsec SPI for inbound and outbound communication.

Which two commands help determine why the NHRP registration process is not being completed even after the IPsec tunnel is up? (Choose two.)

A. show crypto isakmp sa

B. show ip traffic

C. show crypto ipsec sa

D. show ip nhrp traffic

E. show dmvpn detail

Refer to the exhibit. Which type of VPN implementation is displayed?

A. IKEv1 cluster

B. IKEv2 backup gateway

C. IKEv2 load balancer

D. IKEv2 reconnect