Google Cloud Professional Cloud Network Engineer — Question 191

You are attempting to establish a HA VPN to your on-premises network; however, the VPN connection is not establishing successfully. You have full administrative control over the Google Cloud networking environment and the on-premises firewalls that are acting as the VPN devices. The Google Cloud console shows "Negotiation failure" and "BGP is down". You check Cloud Logging by using a query for resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER". Logs Explorer shows frequent log entries:

log name: …/logs/cloud.googleapis.com%2Fipsec_events"
type: "vpn_gateway"
textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built"

You need to troubleshoot the VPN failure and take corrective action based on the Cloud Logging entries. What should you do?

Answer options

• A. Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side.
• B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
• C. Create a new Cloud VPN gateway in a region closer to the peer VPN gateway.
• D. Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.

Correct answer: B

Explanation

The correct answer is B because the 'NO_PROPOSAL_CHOSEN' message indicates that the Phase 2 settings do not match between the local firewall and the Google Cloud VPN. This typically results from mismatched cipher suites. Options A, C, and D may address other aspects of the VPN configuration but do not directly resolve the issue highlighted by the Cloud Logging entries regarding the Phase 2 settings.