Q55 — AWS ANS-C01 Ch.1
Question 55 of 100 | ← Chapter 1
A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support. The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration le provides. What should the network engineer do to troubleshoot and correct the issue?
- A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
- B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires. ✓
- C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
- D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
Correct Answer: B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
Explanation
在这个问题中,客户网关设备在VPN协商的第2阶段重密钥时收到了不支持的参数。由于是客户网关设备出现接收参数与配置不匹配的情况,所以应该检查原生客户网关日志。同时,为解决此问题,需要将VPN隧道选项限制为客户网关所要求的特定VPN参数。因此,选项B是正确的答案。 查看全部