Hi!
I searched Google for quite a while but couldn't find an answer for this. Perhaps I am searching in the wrong way or I don't understand the IKEv2 protocol. Perhaps someone could explain...
I have two ASA with an IKEv2 PSK tunnel between them. When I ping from one side to the network connected to the other side the first packet is always lost unless I previously had some communication with the target IP. When I issue 'show crypto ikev2 sa detail' I get:
asa# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:16
Tunnel-id Local Remote Status Role
81724201 102.x.y.z/500 205.a.b.c/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2095 sec
Session-id: 1
Status Description: Negotiation done
Local spi: C84C36BD085AD240 Remote spi: 38AEA4D3871FF644
Local id: 102.x.y.z
Remote id: 205.a.b.c
Local req mess id: 220 Remote req mess id: 195
Local next mess id: 220 Remote next mess id: 195
Local req queued: 220 Remote req queued: 195
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.16.0.1/0 - 172.16.0.1/65535
remote selector 192.168.0.144/0 - 192.168.0.151/65535
ESP spi in/out: 0x8f7c50b0/0xb3d9ea86
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 172.16.0.1/0 - 172.16.0.1/65535
remote selector 192.168.0.224/0 - 192.168.0.227/65535
ESP spi in/out: 0x3d598811/0xbe125df3
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 172.16.0.1/0 - 172.16.0.1/65535
remote selector 192.168.0.216/0 - 192.168.0.219/65535
ESP spi in/out: 0x47f0888b/0x96e1838b
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 172.16.0.1/0 - 172.16.0.1/65535
remote selector 192.168.0.208/0 - 192.168.0.211/65535
ESP spi in/out: 0x798d64eb/0xa9aeec38
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
(... many more after like these Child SAs)
172.16.0.1 is my machine connected over AnyConnect to the ASA and 192.168.0.x are IP addresses behind the other ASA.
This is what happens from my computer connected over AnyConnect:
$ ping 192.168.0.65
PING 192.168.0.65 (192.168.0.65): 56 data bytes
Request timeout for icmp_seq 0
64 bytes from 192.168.0.65: icmp_seq=1 ttl=253 time=57.747 ms
64 bytes from 192.168.0.65: icmp_seq=2 ttl=253 time=46.186 ms
^C
--- 192.168.0.65 ping statistics ---
3 packets transmitted, 2 packets received, 33.3% packet loss
round-trip min/avg/max/stddev = 46.186/51.966/57.747/5.781 ms
$ ping 192.168.0.66
PING 192.168.0.66 (192.168.0.66): 56 data bytes
64 bytes from 192.168.0.66: icmp_seq=0 ttl=252 time=144.811 ms
64 bytes from 192.168.0.66: icmp_seq=1 ttl=252 time=44.624 ms
64 bytes from 192.168.0.66: icmp_seq=2 ttl=252 time=44.122 ms
^C
--- 192.168.0.66 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 44.122/77.852/144.811/47.347 ms
Notice the first missed packet for the first IP address and the high delay on the first packet for the second IP address.
Is this normal?
Thanks,
Miguel