AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An on-premises data center connects to a VPC by a Site-to-Site VPN with two IPSec tunnels. After a firewall firmware upgrade, users can reach the VPC only when Tunnel 2 is active; CloudWatch metrics show TunnelState=Down for Tunnel 1. The VPN logs display repeated Phase 1 failures with the error message "NO_PROPOSAL_CHOSEN." Which firewall change will MOST likely restore stable connectivity through Tunnel 1?
Set the firewall's IKE Phase 1 policy to use AES-256 encryption, SHA-256 integrity, and Diffie-Hellman group 14.
Change Tunnel 1's inside tunnel CIDR to 169.254.100.0/30 so it differs from Tunnel 2.
Enable NAT Traversal (UDP 4500) for both tunnels on the firewall.
Lower the Dead Peer Detection (DPD) interval on the firewall from 30 seconds to 10 seconds.
The error NO_PROPOSAL_CHOSEN indicates that the IKE Phase 1 proposals offered by one peer do not match any proposal accepted by the other. AWS's default Phase 1 parameters for new VPN connections are AES-256 encryption, SHA-256 hashing, and Diffie-Hellman group 14 (2048-bit). After the firmware upgrade, the on-premises firewall is probably proposing a different cipher or DH group, preventing Tunnel 1 from establishing. Aligning its Phase 1 policy with AES-256, SHA-256, and DH 14 allows the proposal exchange to succeed, bringing the tunnel up. Adjusting DPD timers, inside tunnel IP ranges, or enabling NAT-T do not address a proposal mismatch and would leave the tunnel down.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IKE Phase 1 in a Site-to-Site VPN?
Open an interactive chat with Bash
What is the significance of Diffie-Hellman group 14 in VPN setup?
Open an interactive chat with Bash
What does the 'NO_PROPOSAL_CHOSEN' error mean in VPN logs?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .