Meraki

Community

ECMS Practice Question - Jun 4th

SandroZ
Meraki Employee
Meraki Employee
‎Jun 4 2021 7:36 AM
‎Jun 4 2021 7:36 AM

ECMS Practice Question - Jun 4th

It is that time of the week, were Friday and the ECMS practice question meet in the Meraki community!

 

Comment below with what you think is the correct answer and remember: if you like the question or the ECMS questions initiative, leave a kudo.

 

See you in a week with the correct answer!

 

ECMS practice question

 

A customer has 3 MX security appliances deployed in 3 different locations, All the MX’s are in Routed mode and participate in the VPN topology as hubs. MX 1 and MX 2 report no issue in the dashboard, while MX 3 reports a “NAT unfriendly” warning message in the VPN status page.

Which of the following might be causing the issue?

 

  1. MX 1 is behind an upstream device that is rewriting the source port when trying to establishing the VPN tunnel with MX 3
  2. MX 3 is behind an upstream device that is rewriting the destination port when communicating with the two VPN cloud registry
  3. MX 3 NAT functionality for the LAN to WAN traffic is not configured properly 
  4. MX 3 is behind an upstream device the is rewriting different source port when communicating with the two VPN cloud registry 



P.S. We will be sharing new practice questions weekly! If you'd like to receive updates when we do, click the "ECMS Practice" label below and then "Subscribe”

Here you can find previous questions

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
Labels:
7 Replies 7
wfoteping2101
Here to help
‎Jun 4 2021 10:53 AM
‎Jun 4 2021 10:53 AM

A is the answer.

 

VPN status page reports an unfriendly NAT or disconnected from VPN Registry

If the Security & SD-WAN > Monitor > VPN status page for a given network reports either "NAT type: Unfriendly" or "VPN Registry: Disconnected", there is likely a device upstream of the MX for that site that is preventing AutoVPN from working correctly.

  • NAT type: Unfriendly indicates that the upstream NAT won't allow the MX to use UDP hole punching to form the tunnel. It is recommended to set NAT traversal to Manual: Port forwarding to bypass this issue.

Site-to-Site VPN Troubleshooting - Cisco Meraki

0 Kudos
Bruce
Kind of a big deal
‎Jun 4 2021 3:15 PM
‎Jun 4 2021 3:15 PM

That’s a good one, but tricky. I’m going with D.

KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 12:35 AM
‎Jun 5 2021 12:35 AM

Yes, really a good one, but after thinking about it all but one answer can be eliminated:

Spoiler
a) It has to be something with MX 3 that communicates to the internet, not MX1

b) Destination ports are never rewritten (at least not for internet-bound communication)

c) It is traffic that is originated by the MX, the NAT config is not relevant here

d) The hole-punching needs the source-port to stay the same, so this is the correct answer
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
cmr
Kind of a big deal
Kind of a big deal
‎Jun 6 2021 10:50 AM
‎Jun 6 2021 10:50 AM

A well written question this week with answers that really make you think.  Have to agree with @Bruce and @KarstenI here 🙂

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jun 6 2021 5:16 PM
‎Jun 6 2021 5:16 PM

@SandroZ : Its tricky, yes.. I will go with D

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
SandroZ
Meraki Employee
Meraki Employee
‎Jun 11 2021 7:50 AM
‎Jun 11 2021 7:50 AM

It was not my intention to trick anybody but sometimes to not give away the answer the wording might result convoluted 🙃

 

The correct answer is D

 

The NAT unfriendly event is triggered by inconsistent information (port/IP address) between multiple VPN Registry

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
In response to SandroZ
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jun 11 2021 7:51 AM
‎Jun 11 2021 7:51 AM

@SandroZ : we know your tricks and we got the right answers 😀

Thanks for these initiatives !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.