You are troubleshooting a reported connectivity issue from a remote office whose users are
accessing corporate headquarters via an IPsec VPN connection. You issued a show crypto
isakmp sa command on the headend router, and the state has MM_NO_STATE. Which debug
command should you enter next, and which part of the VPN tunnel establishment process is

failing? (Choose two.)

A.
ISAKMP Phase II

B.
ISAKMP Phase I

C.
debug crypto isakmp sa

D.
debug crypto isakmp

E.
debug crypto ipsec

Explanation:
Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:
Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source
and destination IP addresses on both peers. If connectivity is
verified, proceed to Step 2; otherwise, check the path between the two peers for routing or access
(firewall or access list) issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy
mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display
unsuccessful authentication.
Step 4. Upon successful completion of Steps 13, the IKE SA should be establishing. This can be
verified with
the show crypto isakmp sa command and looking for a state of QM_IDLE.