Palo Alto Networks NGFW Engineer — Question 38

After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.
Which of the following actions will resolve this issue?

Answer options

• A. Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface.
• B. Configure the Proxy IDs to match the Cisco ASA configuration.
• C. Check that IPSec is enabled in the management profile on the external interface.
• D. Validate the tunnel interface VLAN against the peer’s configuration.

Correct answer: B

Explanation

The correct answer is B because Proxy IDs must match on both ends of the tunnel for successful establishment. The other options, while relevant to the overall configuration, do not directly address the mismatch in Proxy IDs, which is often the critical issue causing the tunnel to fail.