Some of the biggest trouble spots for an individual candidate depend on the experience of the candidate. The exam can be categorized as complex because it tests you on both technological aspects; that is, how things work, as well as on configuration aspects in order to achieve different scopes. The problem here is that you need to know both GUI and CLI methods, and most of the time, engineers will know only one. For example, most medium-to-large enterprises use Cisco Security Manager and linkage to ASDM to manage their ASAs, so their engineers have only a little CLI experience, while small enterprises use CLI only. The bottom line is that you need to know both.
There are also advanced features available in IPSec and SSL VPNs which are not part of common, general deployments, as these are targeted for specific scenarios and architectures. As a result, those pursuing the VPN exam need to take more time to study and practice on their lab equipment for these topics. Remember that no matter how small and insignificant an exam topic may appear to you, as long as it is related to the technology, it is fair game for showing up in the exam.
That being said, the following topics tend to be trouble spots regardless of individual experience:
- Lack of true technology understanding: This usually has two causes: fast, rapid learning by reading only without practicing, and a bad approach for studying with focus on configuration scenarios and not on technology itself. This will definitely make a difference when it comes down to troubleshooting scenarios, where only well-prepared engineers can complete it, be it on the exam or real-life scenarios.
- Advanced VPN topics: This is common problem on all exams with rarely-deployed features, as these are forgotten.
- Interaction of VPN technologies with non-VPN ASA configuration (such as NAT): Because VPN is only a subset of ASA capabilities, VPN sessions will be subject to NAT, routing, advanced protocol inspection or any other deployed features. This will further raise the complexity level and require true understanding of ASA architecture.