ASA Tunnel-Group Lookup Method
Question
Which two statements apply to the method that ASA uses for tunnel-group lookup for LAN-to- LAN IPSec connections when using PSK-based authentication? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.AB.
The ASA (Adaptive Security Appliance) uses a tunnel-group lookup mechanism to establish LAN-to-LAN (L2L) IPSec connections when using PSK (Pre-Shared Key) authentication. This mechanism helps to identify the appropriate tunnel-group to use for a particular connection based on the peer's IP address or IKE ID.
The correct statements that apply to this method are:
A. If the configuration does not contain the tunnel-group with the IKE ID or peer IP address DefaultRAGroup, DefaultL2LGroup is used instead.
This statement is correct. When the ASA receives a L2L IPSec connection request, it looks for a tunnel-group that matches the peer's IP address or IKE ID. If it does not find a match, it uses the DefaultRAGroup or DefaultL2LGroup tunnel-group, depending on the version of the ASA software. If the ASA is running version 8.3 or later, it uses the DefaultRAGroup by default. If the ASA is running version 8.2 or earlier, it uses the DefaultL2LGroup by default.
B. DefaultL2LGroup is used only if the PSK check in DefaultRAGroup fails.
This statement is incorrect. The DefaultL2LGroup is used if the ASA cannot find a tunnel-group that matches the peer's IP address or IKE ID in the configuration. It is not dependent on the PSK check in the DefaultRAGroup.
C. DefaultRAGroup is used only if the PSK check in DefaultL2LGroup fails.
This statement is incorrect. The DefaultRAGroup is used if the ASA cannot find a tunnel-group that matches the peer's IP address or IKE ID in the configuration. It is not dependent on the PSK check in the DefaultL2LGroup.
D. You can delete and create new default tunnels groups as needed.
This statement is correct. You can delete the DefaultRAGroup and DefaultL2LGroup tunnel-groups and create new ones as needed. However, it is not recommended to delete these default tunnel-groups because they are used by the ASA for L2L IPSec connections when no other tunnel-group matches the peer's IP address or IKE ID.
In summary, the correct statements are A and D. The ASA uses the DefaultRAGroup or DefaultL2LGroup tunnel-group if it cannot find a match in the configuration, and you can delete and create new default tunnel-groups if needed.
