Palo Alto Networks Certified Network Security Consultant (PCNSC) — Question 15

A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer. After the initial configuration is completed and the changes are committed, phase 2 fails to establish.
Which two changes may be required to fix the issue? (Choose two.)

Answer options

• A. Add proxy IDs to the IPsec tunnel configuration.
• B. Verify that the certificate used for authentication is installed.
• C. Enable the NAT Traversal advanced option.
• D. Verify that PFS is enabled on both ends.

Correct answer: A, C

Explanation

Adding proxy IDs is essential for correctly matching traffic between the two endpoints, which is why option A is correct. Enabling NAT Traversal, as mentioned in option C, helps in situations where NAT devices are present in the path between the VPN endpoints. The other options, while potentially relevant, do not directly address the phase 2 establishment failure in this context.