cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3661
Views
0
Helpful
0
Replies

Cisco ASA IKEv2 Child SA

goncalvesm
Level 1
Level 1

Hi!

I searched Google for quite a while but couldn't find an answer for this. Perhaps I am searching in the wrong way or I don't understand the IKEv2 protocol. Perhaps someone could explain...

I have two ASA with an IKEv2 PSK tunnel between them. When I ping from one side to the network connected to the other side the first packet is always lost unless I previously had some communication with the target IP. When I issue 'show crypto ikev2 sa detail' I get:

asa# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:16

Tunnel-id                 Local                Remote     Status         Role

81724201      102.x.y.z/500   205.a.b.c/500      READY    INITIATOR

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/2095 sec

      Session-id: 1

      Status Description: Negotiation done

      Local spi: C84C36BD085AD240       Remote spi: 38AEA4D3871FF644

      Local id: 102.x.y.z

      Remote id: 205.a.b.c

      Local req mess id: 220            Remote req mess id: 195

      Local next mess id: 220           Remote next mess id: 195

      Local req queued: 220             Remote req queued: 195

      Local window: 1                   Remote window: 1

      DPD configured for 10 seconds, retry 2

      NAT-T is not detected 

Child sa: local selector  172.16.0.1/0 - 172.16.0.1/65535

          remote selector 192.168.0.144/0 - 192.168.0.151/65535

          ESP spi in/out: 0x8f7c50b0/0xb3d9ea86 

          AH spi in/out: 0x0/0x0 

          CPI in/out: 0x0/0x0 

          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Child sa: local selector  172.16.0.1/0 - 172.16.0.1/65535

          remote selector 192.168.0.224/0 - 192.168.0.227/65535

          ESP spi in/out: 0x3d598811/0xbe125df3 

          AH spi in/out: 0x0/0x0 

          CPI in/out: 0x0/0x0 

          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Child sa: local selector  172.16.0.1/0 - 172.16.0.1/65535

          remote selector 192.168.0.216/0 - 192.168.0.219/65535

          ESP spi in/out: 0x47f0888b/0x96e1838b 

          AH spi in/out: 0x0/0x0 

          CPI in/out: 0x0/0x0 

          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Child sa: local selector  172.16.0.1/0 - 172.16.0.1/65535

          remote selector 192.168.0.208/0 - 192.168.0.211/65535

          ESP spi in/out: 0x798d64eb/0xa9aeec38 

          AH spi in/out: 0x0/0x0 

          CPI in/out: 0x0/0x0 

          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

(... many more after like these Child SAs)

172.16.0.1 is my machine connected over AnyConnect to the ASA and 192.168.0.x are IP addresses behind the other ASA.

This is what happens from my computer connected over AnyConnect:

$ ping 192.168.0.65

PING 192.168.0.65 (192.168.0.65): 56 data bytes

Request timeout for icmp_seq 0

64 bytes from 192.168.0.65: icmp_seq=1 ttl=253 time=57.747 ms

64 bytes from 192.168.0.65: icmp_seq=2 ttl=253 time=46.186 ms

^C

--- 192.168.0.65 ping statistics ---

3 packets transmitted, 2 packets received, 33.3% packet loss

round-trip min/avg/max/stddev = 46.186/51.966/57.747/5.781 ms

$ ping 192.168.0.66

PING 192.168.0.66 (192.168.0.66): 56 data bytes

64 bytes from 192.168.0.66: icmp_seq=0 ttl=252 time=144.811 ms

64 bytes from 192.168.0.66: icmp_seq=1 ttl=252 time=44.624 ms

64 bytes from 192.168.0.66: icmp_seq=2 ttl=252 time=44.122 ms

^C

--- 192.168.0.66 ping statistics ---

3 packets transmitted, 3 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 44.122/77.852/144.811/47.347 ms

Notice the first missed packet for the first IP address and the high delay on the first packet for the second IP address.

Is this normal?

Thanks,

Miguel

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: