Which two actions are required to resolve the problem?

user@R1> show security ike security-associations user@R1> show security zones Security
zone: trust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes
Interfaces bounD. 3 Interfaces: ge-0/0/0.0 ge-0/0/6.0 lo0.0 Security zone: untrust Send reset
for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bounD. 1
Interfaces: ge-0/0/1.0 Security zone: junos-host Send reset for non-SYN session TCP
packets: Off Policy configurable: Yes Interfaces bounD. 0 Interfaces: user@R1> show
interfaces st0 Physical interface: st0, Enabled, Physical link is Up Interface index: 130,
SNMP ifIndex: 503 Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192
Device flags : Present Running Interface flags: Point-To-Point Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps) Logical interface st0.0 (Index 72) (SNMP ifIndex 546) Flags:
Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets :
3 Output packets: 3 Security: Zone: Null Protocol inet, MTU: 9192 Flags:
Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination:
172.19.0.0/30, Local: 172.19.0.1 user@R1> show interfaces ge-0/0/1 Physical interface:
ge-0/0/1, Enabled, Physical link is Up Interface index: 135, SNMP ifIndex: 508 Link-level
type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control:
Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8
maximum usable queues Current address: b0:c6:9a:73:27:81, Hardware address:
b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago) Input rate : 0
bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Interface
transmit statistics: Disabled Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 40 Output packets: 27
Security: Zone: untrust Allowed host-inbound traffic : ping Protocol inet, MTU: 1500 Flags:
Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 184.0.15.0/30,
Local: 184.0.15.1, Broadcast: 184.0.15.3 user@R1> show log ipsec-trace | match
“500|drop” Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout

71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:51
16:32:51.874191:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:32:51
16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:51
16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:51
16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout
71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:56
16:32:56.888094:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:32:56
16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:56
16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:56
16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout
71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:33:07
16:33:06.902220:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:33:07
16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:33:07
16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:33:07
16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. You are asked to troubleshoot a new IPsec tunnel that is not
establishing between R1 and R2. The remote team has verified that R2’s configuration is
correct. Which two actions are required to resolve the problem? (Choose two.)

user@R1> show security ike security-associations user@R1> show security zones Security
zone: trust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes
Interfaces bounD. 3 Interfaces: ge-0/0/0.0 ge-0/0/6.0 lo0.0 Security zone: untrust Send reset
for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bounD. 1
Interfaces: ge-0/0/1.0 Security zone: junos-host Send reset for non-SYN session TCP
packets: Off Policy configurable: Yes Interfaces bounD. 0 Interfaces: user@R1> show
interfaces st0 Physical interface: st0, Enabled, Physical link is Up Interface index: 130,
SNMP ifIndex: 503 Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192
Device flags : Present Running Interface flags: Point-To-Point Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps) Logical interface st0.0 (Index 72) (SNMP ifIndex 546) Flags:
Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets :
3 Output packets: 3 Security: Zone: Null Protocol inet, MTU: 9192 Flags:
Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination:
172.19.0.0/30, Local: 172.19.0.1 user@R1> show interfaces ge-0/0/1 Physical interface:
ge-0/0/1, Enabled, Physical link is Up Interface index: 135, SNMP ifIndex: 508 Link-level
type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control:
Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8
maximum usable queues Current address: b0:c6:9a:73:27:81, Hardware address:
b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago) Input rate : 0
bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Interface
transmit statistics: Disabled Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 40 Output packets: 27
Security: Zone: untrust Allowed host-inbound traffic : ping Protocol inet, MTU: 1500 Flags:
Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 184.0.15.0/30,
Local: 184.0.15.1, Broadcast: 184.0.15.3 user@R1> show log ipsec-trace | match
“500|drop” Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout

71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:51
16:32:51.874191:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:32:51
16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:51
16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:51
16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout
71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:56
16:32:56.888094:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:32:56
16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:56
16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:56
16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout
71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:33:07
16:33:06.902220:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> : Jun 12 16:33:07
16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12
16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:33:07
16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:33:07
16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp
500, dp 500 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not
interested Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD.
for self but not interested. You are asked to troubleshoot a new IPsec tunnel that is not
establishing between R1 and R2. The remote team has verified that R2’s configuration is
correct. Which two actions are required to resolve the problem? (Choose two.)

A.
Enable IKE for host inbound traffic in the trust zone.

B.
Enable IKE for host inbound traffic in the untrust zone.

C.
Change the st0.0 interface MTU to 1400.

D.
Add the st0.0 interface to a security zone.



Leave a Reply 0

Your email address will not be published. Required fields are marked *