CCNP Security VPN FAQ: Configuring Scalability Features of the VPN 3002 Hardware Client
Q1. What are the ramifications an administrator should consider when planning to use Virtual Router Redundancy Protocol (VRRP) along with reverse route injection (RRI)?
Q2. You wish to inject a route from the VPN Concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?
Q3. You wish to use RIPv1 with Reverse Route Injection. Can this be done?
Q4. You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?
Q5. What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator?
Q6. You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware client try again?
Q7. How is load balancing enabled on the VPN 3002 Hardware Client?
Q8. You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?
Q9. What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN clients?
Q10. Which debug class or classes should you enable in order to debug an auto-update?
Q11. What types of clients may use the auto-update feature?
Q12. When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?
Q13. What client type(s) are permissible to be set on the VPN Concentrator for upgradingclients when using the VPN 3002 Hardware Client?
Q14. On the VPN Concentrator, what is the syntax used to specify the TFTP server and thefilename used for updating the client software?
Q15. You have configured auto-update to occur. Which device, the VPN Concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?
Q16. How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?
Update | Clients.
Choose the group
Select Upgrade Clients Now
Q17. Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?
Q18. You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?
Q19. Why will some applications not work with either NAT or PAT?
Q20. Why will PAT cause problems with some applications whereas NAT does not cause these problems?
Q21. What are two main differences between NAT and PAT?
Q22. Why is UDP Transparent IPSec (IPSec over UDP) usable with either NAT or PAT when IPSec over TCP is not usable over PAT?
Q23. You are using UDP Transparent IPSec on your VPN 3002 Hardware Client. How are filters applied to inbound traffic? How are filters applied to outbound traffic?
Q24. What minimum version does the VPN Concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?
Q25. What is the default port for IPSec over UDP?
Q26. When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?
Q27. You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?
Q28. What are the ramifications an administrator should consider when planning to use VRRP along with RRI?
Q29. You wish to inject a route from the VPN Concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?
Q30. You wish to use RIPv1 with Reverse Route Injection. Can this be done?
Q31. Which screen on the VPN Concentrator is used to configure RRI with OSPF?
Q32. You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?
Q33. What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator.
Q34. You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful.Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?
Q35. What screen is used to configure backup servers on the VPN 3002 Hardware Client?
Q36. You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?
Q37. What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?
Q38. How is load balancing enabled on the VPN 3002 Hardware Client?
Q39. What types of clients may use the auto-update feature?
Q40. When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?
Q41. What are two main differences between NAT and PAT?
Q42. You are the administrator for a network using a single PAT address for connection to the Internet. You want to add two VPN 3002 Hardware Clients behind your PIX firewall. Which type of IPSec will you choose to use?
Q43. What minimum version does the VPN Concentrator have to be running in order to use IPSec over TCP/IP? What version is required on the VPN 3002 Hardware Client?
Q44. What minimum version does the VPN Concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?
Q45. What is the default port for IPSec over UDP?
Q46. You have an established tunnel between two sites. From the remote site you are able to ping the inside interface of the VPN Concentrator. However, you are unable to ping anything that lies beyond that point. What is wrong?
Q47. You are planning to upgrade your VPN 3002 Hardware Client. You have just received a file named vpn3002-3.0.3.A-k9.bin. What version is this?
Q48. You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?
Q49. Why will some applications not work with either NAT or PAT?
Q50. Why will PAT cause problems with some applications whereas NAT does not cause these problems?
Q51. Which debug class or classes should you enable in order to debug an auto-update?
Q52. On the VPN Concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?
Q53. You have configured auto-update to occur. Which device, the VPN Concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?
Q54. What client type(s) are permissible to be set on the VPN Concentrator for upgrading clients when using the VPN 3002 Hardware Client?
Q55. How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?
Choose the group
Select Upgrade Clients Now.
Q56. Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?
Q57. In Network Extension mode, how long will the VPN 3002 Hardware Client wait before attempting to connect to a backup server if a connection to the primary server fails?
Q58. Will a VPN 3002 Hardware Client connected to a backup server recognize that the primary server has added a new backup server?
Q59. Does the VPN 3002 Hardware Client send keepalives to other VPN 3002 Hardware Clients connected to the same primary or backup server?
Q60. Where are hold-down routes configured?
Q61. What protocols may be used with LAN-to-LAN Autodiscovery?
Q62. When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?
Q63. You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?