<< Prev Question Next Question >>
Question 12/36
-- Exhibit --
user@R1> show security ike security-associations
user@R1> show security zones
Security zone: trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 3
Interfaces:
ge-0/0/0.0
ge-0/0/6.0
lo0.0
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 1
Interfaces:
ge-0/0/1.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 0
Interfaces:
user@R1> show interfaces st0
Physical interface: st0, Enabled, Physical link is Up
Interface index: 130, SNMP ifIndex: 503
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192
Device flags : Present Running
Interface flags: Point-To-Point
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface st0.0 (Index 72) (SNMP ifIndex 546)
Flags: Link-Layer-Down Point-To-Point SNMP-Traps
Encapsulation: Secure-Tunnel
Input packets : 3
Output packets: 3
Security: Zone: Null
Protocol inet, MTU: 9192
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 172.19.0.0/30, Local: 172.19.0.1
user@R1> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 508
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: b0:c6:9a:73:27:81, Hardware address: b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 40
Output packets: 27
Security: Zone: untrust
Allowed host-inbound traffic : ping
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 184.0.15.0/30, Local: 184.0.15.1, Broadcast: 184.0.15.3
user@R1> show log ipsec-trace | match "500|drop"
Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:51 16:32:51.874191:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:51 16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:51 16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:51 16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:56 16:32:56.888094:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:56 16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:33:07 16:33:06.902220:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:33:07 16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:33:07 16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
-- Exhibit --
Click the Exhibit button.
You are asked to troubleshoot a new IPsec tunnel that is not establishing between R1 and R2. The remote team has verified that R2's configuration is correct.
Referring to the exhibit, which two actions are required to resolve the problem? (Choose two.)
user@R1> show security ike security-associations
user@R1> show security zones
Security zone: trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 3
Interfaces:
ge-0/0/0.0
ge-0/0/6.0
lo0.0
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 1
Interfaces:
ge-0/0/1.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 0
Interfaces:
user@R1> show interfaces st0
Physical interface: st0, Enabled, Physical link is Up
Interface index: 130, SNMP ifIndex: 503
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192
Device flags : Present Running
Interface flags: Point-To-Point
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface st0.0 (Index 72) (SNMP ifIndex 546)
Flags: Link-Layer-Down Point-To-Point SNMP-Traps
Encapsulation: Secure-Tunnel
Input packets : 3
Output packets: 3
Security: Zone: Null
Protocol inet, MTU: 9192
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 172.19.0.0/30, Local: 172.19.0.1
user@R1> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 508
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: b0:c6:9a:73:27:81, Hardware address: b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 40
Output packets: 27
Security: Zone: untrust
Allowed host-inbound traffic : ping
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 184.0.15.0/30, Local: 184.0.15.1, Broadcast: 184.0.15.3
user@R1> show log ipsec-trace | match "500|drop"
Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:51 16:32:51.874191:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:51 16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:51 16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:51 16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:32:56 16:32:56.888094:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:32:56 16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0) Jun 12 16:33:07 16:33:06.902220:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:33:07 16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp Jun 12 16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8 Jun 12 16:33:07 16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr 184.0.15.1, sp 500, dp 500 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD. for self but not interested.
-- Exhibit --
Click the Exhibit button.
You are asked to troubleshoot a new IPsec tunnel that is not establishing between R1 and R2. The remote team has verified that R2's configuration is correct.
Referring to the exhibit, which two actions are required to resolve the problem? (Choose two.)
