Check Point Certified Cloud Specialist (CCCS) R82 — Question 39

Joey is configuring a site-to-site VPN with his business partner. On Joey’s site he has a Check Point R80.10 Gateway and his partner uses Cisco ASA 5540 as a gateway.
Joey’s VPN domain on the Check Point Gateway object is manually configured with a group object that contains two network objects:

VPN_Domain3 = 192.168.14.0/24 -

VPN_Domain4 = 192.168.15.0/24 -
Partner’s site ACL as viewed from “show run”
access-list JOEY-VPN extended permit ip 172.26.251.0 255.255.255.0 192.168.14.0 255.255.255.0 access-list JOEY-VPN extended permit ip 172.26.251.0 255.255.255.0 192.168.15.0 255.255.255.0
When they try to establish VPN tunnel, it fails. What is the most likely cause of the failure given the information provided?

Answer options

• A. Tunnel falls on partner site. It is likely that the Cisco ASA 5540 will reject the Phase 2 negotiation. Check Point continues to present its own encryption domain as 192.168.14.0/24 and 192.168.15.0/24, but the peer expects the one network 192.168.14.0/23
• B. Tunnel fails on partner site. It is likely that the Cisco ASA 5540 will reject the Phase 2 negotiation. Check Point continues to present its own encryption domain as 192.168.14.0/23, but the peer expects the two distinct networks 192.168.14.0/24 and 192.168.15.0/24.
• C. Tunnel fails on Joey’s site, because he misconfigured IP address of VPN peer.
• D. Tunnel falls on partner site. It is likely that the Cisco ASA 5540 will reject the Phase 2 negotiation due to the algorithm mismatch.

Correct answer: B

Explanation

The correct answer is B because the Check Point is presenting a single subnet (192.168.14.0/23) instead of the two required distinct subnets (192.168.14.0/24 and 192.168.15.0/24) that the Cisco ASA expects. This mismatch causes the Cisco ASA to reject the Phase 2 negotiation. The other options do not accurately represent the situation described, which centers around the configuration of the encryption domains.