Examice

Exam ANS-C01 All QuestionsBrowse all questions from this exam

Question 104

A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.

The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.

What should the network engineer do to troubleshoot and correct the issue?

Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.

Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.

Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.

Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.

Correct Answer: D

The network engineer should check the Amazon CloudWatch logs of the customer gateway. Site-to-Site VPN logs can be published to Amazon CloudWatch Logs, which can help pinpoint configuration mismatches between AWS and the customer gateway device. This will help diagnose the cause of intermittent connection failures and adjust the VPN tunnel options to match the parameters that the customer gateway requires.

Discussion

lygfOption: B

You check Cloudwatch for AWS resources or your native/on-prem logs for your on prem resource. A&D is out. The problem statement indicates that customer gateway is misconfigured. So you need to work on Customer gateway.

JaffaDaffaOption: B

There are no cloudwatch logs for CGW only for VPN

Training

Should be D Benefits of Site-to-Site VPN logs Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.

Training

https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/

Training

https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

JoellaLi

Your link mentions that "Site-to-Site VPN logs can be published to Amazon CloudWatch Logs.". So Site-to-Site VPN logs !== Amazon CloudWatch Logs.

BGKaZOption: D

Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. >>> https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

drake2020

D is the right answer: the cloudwatch log will show the real issue and then action can be taken https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html TunnelIKEPhase2State VpnLogDetail

Certified101Option: D

Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

johnconnor

It is D, basically no answer on this exam is going to be to check a solution outside AWS. Plus we have this-> https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/

JoellaLi

Lol Agree with you -basically no answer on this exam is going to be to check a solution outside AWS

FukatOption: B

B We cannot enable Cloudwatch logs on CGW or VGW. It has to be enabled on the VPN Connection. So other options are totally incorrect.

DanyelBloodOption: D

Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

Blitz1Option: B

funny question...and has nothing to do with technical knowledge but more with english. Where is the problem: on customer vpn router Where to check: on customer router or in Cloudwatch for you own "router".(VPG) D is confusion because is saying " Check Amazon CloudWatch logs of the customer gateway". What you will see in CloudWatch are the logs from your own router (VPG) and not customer logs because customer is not sending logs to Cloudwatch. I would have choose an answer which will say: " Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires. " - but this option is NOT available.

SailorOption: D

each side logs can determine the problem! , the question even did not ask where to take action!, the problem can be solved by matching the configuration on both sides, which side to change is not the key point ! the question says: The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides. I feel he drive us to change the AWS side as long as the the customer is configured with the " the most secure encryption algorithms" accordingly we should change the AWS side ! this is logic question more than AWS question!!!

JoellaLiOption: D

Benefits of Site-to-Site VPN logs Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation. https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

Marfee400704

I think that it's correct answer is B according to SPOTO products.

luisfsmOption: D

According to these links, it's D: https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/?nc1=h_ls https://aws.amazon.com/vpn/faqs/#:~:text=Q%3A%20What%20logs,best%20effort%20basis.

TravelKoOption: D

Logs are exported to cloudwatch .