Examice

Exam 300-730 All QuestionsBrowse all questions from this exam

Question 32

An engineer is troubleshooting a new DMVPN setup on a Cisco IOS router. After the show crypto isakmp sa command is issued, a response is returned of

"MM_NO_STATE." Why does this failure occur?

The ISAKMP policy priority values are invalid.

ESP traffic is being dropped.

The Phase 1 policy does not match on both devices.

Tunnel protection is not applied to the DMVPN tunnel.

Correct Answer: C

The 'MM_NO_STATE' message indicates that the ISAKMP (Internet Security Association and Key Management Protocol) Security Association (SA) has been initiated but the negotiation is not yet completed. 'MM' stands for Main Mode, which is part of Phase 1 of the ISAKMP negotiation process. This typically occurs when there is a mismatch in the Phase 1 policies (such as encryption, hash, authentication method, or Diffie-Hellman group) between the two devices attempting to establish a secure connection. Therefore, the root cause of this issue is that the Phase 1 policy does not match on both devices.

Discussion

Carlj007Option: C

correct answer is C

shiznity2kOption: C

C is the correct answer, it is due to policy mismatch for phase 1

SlyslothOption: C

Could also be a mismatch on both sides as stated in this troubleshooting guide. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html Though it is mentioned that its DMVPN so that could be why esp is being dropped but that should only be if protection is on.

joegreenOption: C

Answer is C. ISAKMP packets would be dropped if it were the case, not ESP packets.

starletkaOption: C

phase 1 failed so non matching. human error is always first asumption

kylesam2017Option: C

"C" is the correct answer here.

gondohweOption: C

policy not matching e.g authentication key....go for C

mihaidOption: B

B- is also correct , this should be the first assumption if no other details were given C- is also correct , but this should be the 2nd assumption ?

jimmyjose

Answer options B & D are for phase 2, hence, they are ruled out. Out of options A & C, answer seems to be C because phase 1 denotes main mode, which has no state as per the error message - 'MM_NO_STATE'.

Khs01Option: C

C is correct

Anonymous983475Option: C

Phase 1 failed

Net4ddOption: C

C is the one logical MM is for main mode

Dante8880Option: C

ISAKMP SA has been created but not built. https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

BackupzOption: C

correct answer is C

LouisVuittonOption: C

Correct answer is C

mazinhooOption: C

Correct answer is C https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

nospamplsOption: C

like Slysloth wrote C should be right