NEW QUESTION 1
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

• A. Endpoint Assessment
• B. Cisco Secure Desktop
• C. Basic Host Scan
• D. Advanced Endpoint Assessment

Answer: D

NEW QUESTION 2
Refer to the exhibit.

Which type of mismatch is causing the problem with the IPsec VPN tunnel?

• A. crypto access list
• B. Phase 1 policy
• C. transform set
• D. preshared key

Answer: D

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#ike

NEW QUESTION 3
Refer to the exhibit.

The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?
A.

• A.
• B. D.

Answer: D

NEW QUESTION 4
Refer to the exhibit.

A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?

• A. An authentication failure occurs on the remote peer.
• B. A certificate fragmentation issue occurs between both sides.
• C. UDP 4500 traffic from the peer does not reach the router.
• D. An authentication failure occurs on the router.

Answer: C

NEW QUESTION 5
Which redundancy protocol must be implemented for IPsec stateless failover to work?

• A. SSO
• B. GLBP
• C. HSRP
• D. VRRP

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

NEW QUESTION 6
Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one group of users and SSL for another group. When the administrator configures a new AnyConnect release on the Cisco ASA, the IKEv2 users cannot download it automatically when they connect. What might be the problem?

• A. The XML profile is not configured correctly for the affected users.
• B. The new client image does not use the same major release as the current one.
• C. Client services are not enabled.
• D. Client software updates are not supported with IKEv2.

Answer: C

NEW QUESTION 7
Cisco AnyConnect clients need to transfer large files over the VPN sessions. Which protocol provides the best throughput?

• A. SSL/TLS
• B. L2TP
• C. DTLS
• D. IPsec IKEv1

Answer: C

NEW QUESTION 8
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?

• A. interface virtual-access
• B. ip nhrp redirect
• C. interface tunnel
• D. interface virtual-template

Answer: D

NEW QUESTION 9
Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS router?

• A. svc import profile SSL_profile flash:simos-profile.xml
• B. anyconnect profile SSL_profile flash:simos-profile.xml
• C. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
• D. webvpn import profile SSL_profile flash:simos-profile.xml

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

NEW QUESTION 10
Which VPN solution uses TBAR?

• A. GETVPN
• B. VTI
• C. DMVPN
• D. Cisco AnyConnect

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html

NEW QUESTION 11
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

• A. Add NHRP shortcuts on the hub.
• B. Add NHRP redirects on the spoke.
• C. Disable EIGRP next-hop-self on the hub.
• D. Enable EIGRP next-hop-self on the hub.
• E. Add NHRP redirects on the hub.

Answer: CE

NEW QUESTION 12
Which technology is used to send multicast traffic over a site-to-site VPN?

• A. GRE over IPsec on IOS router
• B. GRE over IPsec on FTD
• C. IPsec tunnel on FTD
• D. GRE tunnel on ASA

Answer: B

NEW QUESTION 13
Refer to the exhibit.

Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

• A. dns-server value 10.1.1.2
• B. same-security-traffic permit intra-interface
• C. same-security-traffic permit inter-interface
• D. dns-server value 10.1.1.3

Answer: B

NEW QUESTION 14
Which two commands help determine why the NHRP registration process is not being completed even after the IPsec tunnel is up? (Choose two.)

• A. show crypto isakmp sa
• B. show ip traffic
• C. show crypto ipsec sa
• D. show ip nhrp traffic
• E. show dmvpn detail

Answer: AD

NEW QUESTION 15
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

• A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
• B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
• C. A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
• D. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.
• E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Answer: CD

NEW QUESTION 16
Refer to the exhibit.

Which VPN technology is used in the exhibit?

• A. DVTI
• B. VTI
• C. DMVPN
• D. GRE

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-EB8C433B-2394-42B9-997F-B40803E58A91

NEW QUESTION 17
Refer to the exhibit.

What is a result of this configuration?

• A. Spoke 1 fails the authentication because the authentication methods are incorrect.
• B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
• C. Spoke 2 fails the authentication because the remote authentication method is incorrect.
• D. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.

Answer: A

NEW QUESTION 18
Refer to the exhibit.

The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?

• A. preshared key
• B. peer identity
• C. transform set
• D. ikev2 proposal

Answer: B

NEW QUESTION 19
What uses an Elliptic Curve key exchange algorithm?

• A. ECDSA
• B. ECDHE
• C. AES-GCM
• D. SHA

Answer: B

Explanation:
Reference: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

NEW QUESTION 20
What is a requirement for smart tunnels to function properly?

• A. Java or ActiveX must be enabled on the client machine.
• B. Applications must be UDP.
• C. Stateful failover must not be configured.
• D. The user on the client machine must have admin access.

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111007-smart-tunnel-asa-00.html

NEW QUESTION 21
......