Free Cisco 300-730 SVPN Actual Exam Questions - Question 13 Discussion
A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based
on the syslog message, which action brings up the VPN tunnel?
Maybe A, lowering max SA could free up resources causing the block.
D imo, if the crypto access lists aren’t matching on both ASAs, the tunnel won’t come up regardless of SA limits. Fixing those lists might be the actual blocker here.
This feels like B. Since the message highlights hitting the in-negotiation SA limit on the local ASA, bumping up that specific limit should clear the way for new tunnels. Just lowering max active SAs like in A wouldn’t tackle the negotiation bottleneck directly.
A/B? The syslog points to max active SAs being hit, so reducing that limit (A) could free up room. But since it’s about “in-negotiation” SAs, increasing that limit (B) might directly help.
A vs B, syslog shows max active SAs reached, so lowering max active (A) frees space.
Maybe A makes sense here. If the local ASA is hitting the max in-negotiation SA limit, lowering the maximum active SA limit on the local ASA could free up resources and allow new negotiations to proceed. Increasing limits (B or C) might not help if there’s a hard cap on total SAs allowed, so adjusting the existing max SA limit down could indirectly fix the problem by making room for new negotiations. It’s a bit counterintuitive, but sometimes reducing max limits helps prevent hitting negotiation caps in practice.
B imo, increasing local ASA’s in-negotiation SA limit fits the syslog message best.
B/C? If the log shows hitting an in-negotiation SA limit on the local ASA, increasing it (B) seems right, but if the remote ASA’s max SA is too low, that could also block the tunnel (C).
The syslog points to hitting a limit on simultaneous SAs, so it’s about capacity rather than config errors. Since it mentions local ASA, I’d say B makes sense — increasing the in-negotiation SA limit allows more tunnels to come up at once. Options A and C talk about max SA limits but don’t fit as well with “in-negotiation” context here. D seems unrelated because it’s not about the access list but rather SA capacity.
B tbh, but does the syslog specify which ASA the message is from? Knowing if it’s the local or remote device would help confirm if adjusting the in-negotiation SA limit is the right move.