Cisco Certified Internetwork Expert (CCIE) Practice Test

Which two statements about DTLS are true? (Choose two)

• A. It uses two simultaneous IPsec tunnels to carry traffic
• B. If DPD is enabled, DTLS can fall back to a TLS connection
• C. It is disabled by default if you enable SSL VPN on the interface
• D. If DTLS is disabled on an interface, then SSL VPN connections must use SSL/TLS tunnels

The correct answer is: If DPD is enabled, DTLS can fall back to a TLS connection

One of the correct statements regarding DTLS is that if Dead Peer Detection (DPD) is enabled, DTLS can indeed fall back to a TLS connection. This is important because DTLS is designed to operate over UDP, providing low-latency connections suitable for applications requiring real-time communication, like VoIP or gaming. However, in case there are issues maintaining that connection and DPD detects that a peer is unresponsive, DTLS can seamlessly switch to a TLS connection, which operates over TCP. This fallback capability enhances the robustness of the connection by ensuring continued secure communication, thus allowing for resilience in varying network conditions. The context around why other statements do not hold true clarifies the understanding of how DTLS functions in various scenarios. For instance, using two simultaneous IPsec tunnels to carry traffic does not apply to DTLS, as it operates over UDP and does not rely on IPsec. Additionally, DTLS is typically enabled by default when SSL VPN is configured on an interface, contrary to the assertion that it is disabled by default, ensuring DTLS can be leveraged for better performance in SSL VPN solutions. Finally, while it's true that if DTLS is disabled, SSL VPN connections fall back to SSL/TLS tunnels, this does not support