ANS-C01 Exam - Question 104

Question

A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.

The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.

What should the network engineer do to troubleshoot and correct the issue?

Examice · Accepted Answer

The network engineer should check the Amazon CloudWatch logs of the customer gateway. Site-to-Site VPN logs can be published to Amazon CloudWatch Logs, which can help pinpoint configuration mismatches between AWS and the customer gateway device. This will help diagnose the cause of intermittent connection failures and adjust the VPN tunnel options to match the parameters that the customer gateway requires.

lygf · Answer

You check Cloudwatch for AWS resources or your native/on-prem logs for your on prem resource. A&D is out.
The problem statement indicates that customer gateway is misconfigured. So you  need to work on Customer gateway.

JaffaDaffa · Answer

There are no cloudwatch logs for CGW only for VPN

Training · Answer

Should be D
Benefits of Site-to-Site VPN logs
Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.

drake2020 · Answer

D is the right answer: the cloudwatch log will show the real issue and then action can be taken
https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html
TunnelIKEPhase2State
VpnLogDetail

BGKaZ · Answer

Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. >>>
https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

DanyelBlood · Answer

Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

Fukat · Answer

B
We cannot enable Cloudwatch logs on CGW or VGW. It has to be enabled on the VPN Connection. So other options are totally incorrect.

johnconnor · Answer

It is D, basically no answer on this exam is going to be to check a solution outside AWS. Plus we have this-> https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/

Certified101 · Answer

Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues.

https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

TravelKo · Answer

Logs are exported to  cloudwatch .

luisfsm · Answer

According to these links, it's D:

https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/?nc1=h_ls

https://aws.amazon.com/vpn/faqs/#:~:text=Q%3A%20What%20logs,best%20effort%20basis.

Marfee400704 · Answer

I think that it's correct answer is B  according to SPOTO products.

JoellaLi · Answer

Benefits of Site-to-Site VPN logs

Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.

https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

Sailor · Answer

each side logs can determine the problem! , the question even did not ask where to take action!,
 the problem can be solved by matching the configuration on both sides, 
which side to change is not the key point !

the question says: The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms 
that the AWS Site-to-Site VPN configuration file provides.

I feel he drive us to change the AWS side as long as the the customer is configured with the " the most secure encryption algorithms"
accordingly we should change the AWS side !
this is logic question more than AWS question!!!

Blitz1 · Answer

funny question...and has nothing to do with technical knowledge but more with english.

Where is the problem: on customer vpn router
Where to check: on customer router or in Cloudwatch for you own "router".(VPG)

D is confusion because is saying " Check Amazon CloudWatch logs of the customer gateway". What you will see in CloudWatch are the logs from your own router (VPG) and not customer logs because customer is not sending logs to Cloudwatch.

I would have choose an answer which will say: 
" Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires. " - but this option is NOT available.

ANS-C01 Exam - Question 104

Discussion