You are troubleshooting reported connectivity issues from remote users who are accessing
corporate headquarters via an IPsec VPN connection. What should be your first step in
troubleshooting these issues?
A.
issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints
B.
ping the tunnel endpoint
C.
run a traceroute to verify the tunnel path
D.
debug the connection process and look for any error messages in tunnel establishment
Explanation:
Page 398 – Very Important – several Questions from this
Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:
Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source
and destination IP addresses on both peers. If connectivity is verified, proceed to Step 2;
otherwise, check the path between the two peers for routing or access (firewall or access list)
issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy
mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display
unsuccessful authentication. Step 4. Upon successful completion of Steps 13, the IKE SA should
be establishing. This can be verified with the show crypto isakmp sa command and looking for a
state of QM_IDLE.