A and C are correct. See page 300 in the Enterprise Firewall 7.2 Study Guide: A: Only some IKEv2 packets are considered fragmentable: AUTH, CREATE_CHILD_SA, and some INFORMATIONAL. C: Page 299 in Study Guide: If fragmentation occurs at the IP layer, during the IKEv2 connection, it is possible that payload sizes may exceed the IP MTU and packets get fragmented. Now, on page 300, it is indeed stated that fragmentation is performed on the IKE-layer to solve the issues raised with Fragmentation on the IP-layer. This is supported on IKEv2 with IKEv2 fragmentation support: config vpn ipsec-phase1-$interface set ike-version 2 set fragmentation enable | disable set fragmentation-mtu $size Bottom line; somewhat tricky question, at least with regards to it requesting two answers, and i definitely isn't B or D.

A: Only some IKEv2 packets are considered fragmentable: AUTH, CREATE_CHILD_SA, and some INFORMATIONAL. B: Reassembly timeout is 15 seconds, not 30 seconds. C: Check the question and the Study guide. IKEv2 fragmentation does happen in the IP layer, and IKEv2 fragmentation "SUPPORT" happens at the IKE layer instead of the IP layer. D: The maximum number of IKEv2 fragments is 64, not 128

A and C are correct

only one anwer is right . A study guide page 300

Answer should be A only, but it requires 2 answers so it's AC ... p300 : A correct : "Only some packets are considered fragmentable." C wrong : "With IKEv2 fragmentation support, the fragmentation occurs at the IKE layer instead of the IP layer." BUT if set fragmentation is set to disable, then answer C could be right .... BD wrong : "The maximum number of IKEv2 fragments are 64, and the reassembly timeout is 15 seconds."

only A is correct imho A -> yes, study guide p. 300 B -> reassembly timeout 15 sec, not 30 C -> nope, fragmentation is done at IKE layer, not IP! (To not be blocked by firewalls) D -> nope, the max number is 64 (p. 300 study guide)

The answer is A (page 300) C (page 299) Enterprise_Firewall_7.2_Study_Guide

The answer is BC