ExamGecko
Search Search Login
Home Home / Checkpoint / 156-315.81
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

True or False: In R81, more than one administrator can login to the Security Management Server with write permission at the same time.
The Firewall Administrator is required to create 100 new host objects with different IP addresses. What API command can he use in the script to achieve the requirement?
SecureXL is able to accelerate the Connection Rate using templates. Which attributes are used in the template to identify the connection?
SmartEvent Security Checkups can be run from the following Logs and Monitor activity:
By default, the R81 web API uses which content-type in its response?
By default, which port does the WebUI listen on?
What are the steps to configure the HTTPS Inspection Policy?
When simulating a problem on ClusterXL cluster with cphaprob --d STOP -s problem -t 0 register, to initiate a failover on an active cluster member, what command allows you remove the problematic state?
Which command would disable a Cluster Member permanently?
You find one of your cluster gateways showing ''Down'' when you run the ''cphaprob stat'' command. You then run the ''clusterXL_admin up'' on the down member but unfortunately the member continues to show down. What command do you run to determine the cause?

Question 298 - 156-315.81 discussion

Report
Export

When attempting to start a VPN tunnel, in the logs the error ''no proposal chosen'' is seen numerous times. No other VPN-related entries are present.

Which phase of the VPN negotiations has failed?

A.
IKE Phase 1
Answers
A.
IKE Phase 1
B.
IPSEC Phase 2
Answers
B.
IPSEC Phase 2
C.
IPSEC Phase 1
Answers
C.
IPSEC Phase 1
D.
IKE Phase 2
Answers
D.
IKE Phase 2
Suggested answer: A

Explanation:

The error ''no proposal chosen'' indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime.If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error ''no proposal chosen''1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

The same pre-shared secret or certificate

The same encryption algorithm (e.g., AES-256)

The same hash algorithm (e.g., SHA-256)

The same Diffie-Hellman group (e.g., Group 14)

The same lifetime (e.g., 86400 seconds)

One can use the commandvpn tuon the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer.Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings2.

Show Answer
asked 16/09/2024
Darren Bajada
46 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms