NEW QUESTION 1
Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

• A. sequence numbers that enable scalable replay checking
• B. enabled use of ESP or AH
• C. design for use over public or private WAN
• D. no requirement for an overlay routing protocol

Answer: D

NEW QUESTION 2
Refer to the exhibit.

Which VPN technology is used in the exhibit?

• A. DVTI
• B. VTI
• C. DMVPN
• D. GRE

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-EB8C433B-2394-42B9-997F-B40803E58A91

NEW QUESTION 3
Refer to the exhibit.

What is a result of this configuration?

• A. Spoke 1 fails the authentication because the authentication methods are incorrect.
• B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
• C. Spoke 2 fails the authentication because the remote authentication method is incorrect.
• D. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.

Answer: A

NEW QUESTION 4
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

• A. Endpoint Assessment
• B. Cisco Secure Desktop
• C. Basic Host Scan
• D. Advanced Endpoint Assessment

Answer: D

NEW QUESTION 5
Refer to the exhibit.
An SSL client is connecting to an ASA headend. The session fails with the message “Connection attempt has timed out. Please verify Internet connectivity.” Based on how the packet is processed, which phase is causing the failure?

• A. phase 9: rpf-check
• B. phase 5: NAT
• C. phase 4: ACCESS-LIST
• D. phase 3: UN-NAT

Answer: D

NEW QUESTION 6
Refer to the exhibit.

Which VPN technology is allowed for users connecting to the Employee tunnel group?

• A. SSL AnyConnect
• B. IKEv2 AnyConnect
• C. crypto map
• D. clientless

Answer: B

NEW QUESTION 7
Which two remote access VPN solutions support SSL? (Choose two.)

• A. FlexVPN
• B. clientless
• C. EZVPN
• D. L2TP
• E. Cisco AnyConnect

Answer: BE

NEW QUESTION 8
Refer to the exhibit.

Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

• A. dns-server value 10.1.1.2
• B. same-security-traffic permit intra-interface
• C. same-security-traffic permit inter-interface
• D. dns-server value 10.1.1.3

Answer: B

NEW QUESTION 9
Refer to the exhibit.

Cisco AnyConnect must be set up on a router to allow users to access internal servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC. Which command accomplishes this configuration?

• A. svc split include 192.168.0.0 255.255.255.0
• B. svc split exclude 192.168.0.0 255.255.255.0
• C. svc split include acl CCNP
• D. svc split exclude acl CCNP

Answer: C

NEW QUESTION 10
Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one group of users and SSL for another group. When the administrator configures a new AnyConnect release on the Cisco ASA, the IKEv2 users cannot download it automatically when they connect. What might be the problem?

• A. The XML profile is not configured correctly for the affected users.
• B. The new client image does not use the same major release as the current one.
• C. Client services are not enabled.
• D. Client software updates are not supported with IKEv2.

Answer: C

NEW QUESTION 11
Refer to the exhibit.

Which type of mismatch is causing the problem with the IPsec VPN tunnel?

• A. crypto access list
• B. Phase 1 policy
• C. transform set
• D. preshared key

Answer: D

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#ike

NEW QUESTION 12
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

• A. group-alias
• B. certificate map
• C. optimal gateway selection
• D. group-url
• E. AnyConnect client version

Answer: BD

NEW QUESTION 13
Which VPN does VPN load balancing on the ASA support?

• A. VTI
• B. IPsec site-to-site tunnels
• C. L2TP over IPsec
• D. Cisco AnyConnect

Answer: D

NEW QUESTION 14
Which redundancy protocol must be implemented for IPsec stateless failover to work?

• A. SSO
• B. GLBP
• C. HSRP
• D. VRRP

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

NEW QUESTION 15
Refer to the exhibit.

A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

• A. Reduce the maximum SA limit on the local Cisco ASA.
• B. Increase the maximum in-negotiation SA limit on the local Cisco ASA.
• C. Remove the maximum SA limit on the remote Cisco ASA.
• D. Correct the crypto access list on both Cisco ASA devices.

Answer: B

NEW QUESTION 16
Refer to the exhibit.

Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

• A. group-url https://172.16.31.10/General enable
• B. group-policy General internal
• C. authentication aaa
• D. authentication certificate
• E. group-alias General enable

Answer: BE

NEW QUESTION 17
Which command is used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

• A. show crypto ikev2 sa
• B. show crypto isakmp sa
• C. show crypto gkm
• D. show crypto identity

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.pdf

NEW QUESTION 18
Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)

• A. AnyConnect Auto Reconnect
• B. AnyConnect Network Access Manager
• C. AnyConnect Backup Servers
• D. ASA failover
• E. AnyConnect Always On

Answer: CD

NEW QUESTION 19
Which method dynamically installs the network routes for remote tunnel endpoints?

• A. policy-based routing
• B. CEF
• C. reverse route injection
• D. route filtering

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-vpn-availability-12-4t-book/sec-rev-rte-inject.html

NEW QUESTION 20
DRAG DROP
Drag and drop the correct commands from the night onto the blanks within the code on the left to implement a design that allow for dynamic spoke-to-spoke communication. Not all comments are used.
Select and Place:

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-summ-maps.html

NEW QUESTION 21
Which technology is used to send multicast traffic over a site-to-site VPN?

• A. GRE over IPsec on IOS router
• B. GRE over IPsec on FTD
• C. IPsec tunnel on FTD
• D. GRE tunnel on ASA

Answer: B

NEW QUESTION 22
Which parameter is initially used to elect the primary key server from a group of key servers?

• A. code version
• B. highest IP address
• C. highest-priority value
• D. lowest IP address

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

NEW QUESTION 23
Refer to the exhibit.

Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

• A. crypto map
• B. DMVPN
• C. GRE
• D. FlexVPN
• E. VTI

Answer: BE

NEW QUESTION 24
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

• A. *$SecureMobilityClient$*
• B. *$AnyConnectClient$*
• C. *$RemoteAccessVpnClient$*
• D. *$DfltlkeldentityS*

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

NEW QUESTION 25
......