ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

Question 288 - PCNSE discussion

Report
Export

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

A.
In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
Answers
A.
In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
B.
Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure
Answers
B.
Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure
C.
Check whether the VPN peer on one end is set up correctly using policy-based VPN
Answers
C.
Check whether the VPN peer on one end is set up correctly using policy-based VPN
D.
In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
Answers
D.
In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
Suggested answer: C

Explanation:

According to the Palo Alto Networks documentation1, the error message "IKE phase-2 negotiation failed when processing Proxy ID" indicates that there is a mismatch between the Proxy ID settings on the two VPN peers. Proxy ID is used to identify the traffic that needs to be encrypted and tunneled. It consists of the local and remote IP addresses, protocols, and ports. If the Proxy ID settings do not match on both VPN peers, the phase-2 negotiation will fail. Therefore, the administrator should check whether the VPN peer on one end is set up correctly using policy-based VPN, which allows specifying the Proxy ID settings manually2. Therefore, the correct answer is C.

The other options are not relevant or helpful for identifying the root cause of this error message:

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate: This option would help to identify the root cause of a phase-1 negotiation failure, not a phase-2 negotiation failure. The IP address for each VPN peer is used to establish the IKE gateway, which is part of the phase-1 negotiation. If the IP address is inaccurate, the phase-1 negotiation will fail and the error message will be different.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure: This option would also help to identify the root cause of a phase-1 negotiation failure, not a phase-2 negotiation failure. The ability to ping and route between the IP addresses of the VPN peers is a prerequisite for establishing the IKE gateway, which is part of the phase-1 negotiation. If there are routing issues or connectivity problems, the phase-1 negotiation will fail and the error message will be different.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers: This option would help to identify the root cause of a different phase-2 negotiation failure, not the one related to Proxy ID mismatch. PFS stands for Perfect Forward Secrecy, which is an option to generate a new encryption key for each IPSec session. If PFS is enabled on one

VPN peer but disabled on another, the phase-2 negotiation will fail and the error message will be "IKEv2 IPSec SA negotiation failed. Invalid syntax."3.

Reference: 1:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS 2:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn/set-up-a-site-tosite-vpn-between-two-firewalls/policy-based-vpn 3:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0

Show Answer
asked 23/09/2024
mustapha amraui
38 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms