Which of the following is most likely to indicate that the configured main mode ISAKMP policy does not match
the policy proposed by the remote peer? (Select the best answer.)

A.
AG_NO_STATE

B.
MM_NO_STATE

C.
AG_AUTH

D.
MM_KEY_AUTH

E.
QM_IDLE

Explanation:
Of the available choices, the MM_NO_STATE state is most likely to indicate that the configured main mode
Internet Security Association and Key Management Protocol (ISAKMP) policy does not match the policy
proposed by the remote peer. The MM_NO_STATE state is the first transaction to occur when setting up
Internet Key Exchange (IKE) security associations (SAs) in main mode. The show crypto isakmp sacommand
displays the status of current IKE SAs on the router. MM_NO_STATE indicates that the ISAKMP peers have
created their SAs. However, an exchange that does not move past this stage indicates that main mode has
failed. The following states are used during main mode:
MM_NO_STATE – The peers have created the SA.
MM_SA_SETUP – The peers have negotiated SA parameters.
MM_KEY_EXCH – The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
MM_KEY_AUTH – The peers have authenticated the SA.
The following states are used during aggressive mode:
AG_NO_STATE – The peers have created the SA.
AG_INIT_EXCH – The peers have negotiated SA parameters and exchanged keys.
AG_AUTH – The peers have authenticated the SA.
Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE
phase 1 has completed successfully and that there is an active IKE SA between peers.

Cisco: Most Common DMVPN Troubleshooting Solutions
Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa