AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 270

A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.

The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.

What should the network engineer do to troubleshoot and correct the issue?

Answer options

Correct answer: B

Explanation

During Phase 2 rekeying, AWS may propose default parameters that the customer gateway device does not support, causing the tunnel to fail. Checking the native customer gateway logs will reveal the specific mismatch, and restricting the AWS VPN tunnel options to only the parameters supported by the customer gateway will resolve the negotiation failure. Other options are incorrect because the virtual private gateway does not natively log these details to CloudWatch in this manner, and the issue lies with the customer gateway's accepted parameters.