Not all candidates have the same level of knowledge and experience for all of the exam topics. The exam can be complex because it tests you on both general technical aspects to address your level of understanding, as well as on configuration related scenarios for achieving a given requirement. One problem here is that you need to know both GUI and CLI methods for achieving a goal, and most of the time engineers will know one or the other but not both. For example, most medium-to-large enterprises use Cisco Security Manager and linkage to ASDM to manage their ASA’s firewall policies and CLI only for troubleshooting purposes. But bottom line: you need to know both very well.
Advanced features that are available in IPsec and SSL VPN topics (which are not part of common, general deployments) are targeted for specific scenarios and architectures, and thus need to be known as well. As a result, those pursuing the VPN exam need to allocate more time for study theory and practicing on their lab equipment. Remember that no matter how small and insignificant an exam topic may appear to you, as long as it is related to the blueprint, it is fair game showing up in the exam.
A lack of true technology understanding or advanced VPN topics and interaction of VPN technologies with non-VPN ASA configurations such as NAT can be a major trouble spot. Lack of true technology understanding usually has two causes: quick learning by only reading without practicing on real equipment, and a bad approach for studying with focus on configuration scenarios and not on the technology itself. This will definitely make a difference when it comes down to troubleshooting scenarios, where only skilled engineers can solve an issue, be it on the exam or real-life scenarios.
As for advanced VPN topics, this is common problem on all exams with not-commonly deployed features, as these are hard to remember. For at least the scope of the exam, know these features. Because VPN is only a subset of ASA capabilities, VPN sessions will be subject to NAT, routing, advanced protocol inspection, or other deployed features. This will further raise the complexity level and require true understanding of ASA architecture as well. If you lack this knowledge, read the FIREWALL course on required chapters.