Using the Monitoring Tools

Note: The J-Web GUI interface framework used on the SRX-series devices is based on panes. Each pane acts a separate frame that can be viewed, dragged, minimized, maximized, or hidden. The J-Web user interface has eight panes such as System identification, Resource utilization, Security resources, System alarms, File usage, Login sessions, Chassis status, and Storage usage.

Only the first three panes are displayed by default. To view the other system properties, click the Preferences icon at top right corner of the page. You can also set the refresh time interval for automatically updating the data on the system properties.

Serial Number

Serial number for the device.

Host Name

Hostname of the device, as defined with the set system hostname command.

Software Version

Release version of the JUNOS software running on the device.

System Up Time

The time when the system was last booted, in days and hours.

System Time

Current system time, in Coordinated Universal Time (UTC).

CPU usages by all processes, expressed as a percentage of total CPU available.

Note: On SRX series services gateway, the capacity of the device is determined by the total number of Security Processing Units (SPUs) installed in the device.

Process ID

Process identifier.

This is the PID field in the show system processes command output.

Process Owner

Name of the process owner.

Process Name

Command that is currently running.

Individual processes on the device are listed here. Because each process within JUNOS operates in a protected memory environment, you can diagnose whether a particular process is consuming an abnormal amount of resources.

If a software process is using too much CPU or memory, you can restart the process by entering the restart command from the CLI.

CPU Usage

Percentage of the CPU that is being used by the process.

Note: On SRX series services gateway, the CPU and memory utilizations are done by monitoring the FPC card within the SPU units.

Show complete process information

—

Select to display the software processes running on the device. See Table 125.

Percentage of the installed RAM being used by all processes.

Process ID

Process identifier.

This is the PID field in the show system processes command output.

Process Owner

Name of the process owner.

Process Name

Command that is currently running.

Individual processes on the device are listed here. Because each process within JUNOS operates in a protected memory environment, you can diagnose whether a particular process is consuming an abnormal amount of resources.

If a software process is using too much CPU or memory, you can restart the process by entering the restart command from the CLI.

Memory Usage

Percentage of the installed RAM that is being used by the process.

Show complete process information

—

Select to display the software processes running on the device. See Table 125.

Percentage of space used for a particular CompactFlash card.

Storage usage table displays the used space per media type. For example:

• CompactFlash card

• USB

Media

Type of memory device.

Total

Total size, in megabytes, of the primary memory device.

Usable

Total usable memory, in megabytes, of the primary memory device.

The total usable memory is the total memory minus the size of the JUNOS image installed on the device.

Used

Total memory used, in megabytes and as a percentage of the total usable memory size, of the primary memory device.

Usage

Percentage of the memory that is being used by the process.

File Type

Type of log files on the device.

Size

Size, in kilobytes, of the files on the device.

Log Files

Total size, in kilobytes, of the log files on the device.

This is the sum of file sizes in the /var/log directory.

Temporary Files

Total size, in kilobytes, of the temporary files on the device.

This is the sum of the file sizes in the /var/tmp directory.

Crash (Core) Files

Total size, in kilobytes, of the core files on the device.

This is the sum of the file sizes in the /var/crash directory.

Database Files

Total size, in kilobytes, of the configuration database files on the device.

This is the sum of the file sizes in the /var/db directory.

Status of the device chassis:

• OK (green)—Normal operation
• Failure (red)—Failed

Name

Chassis component. For J-series devices, the chassis components are the Routing Engine and the fans.

Gauge Status

Status of the temperature gauge on the specified hardware comzponent.

Temperature

Temperature of the air flowing past the hardware component.

Name

Chassis component. For J-series devices, the chassis components are the Routing Engine, the Physical Interface Module (PIM) slot number (identified in the display as an FPC), and the PIM number (identified in the display as a PIC).

On J-series devices, an FPC and a PIM are the same physical unit. The PIM number is always 0.

Status

Status of the fans that are regulated by JUNOS software:

• OK
• Testing (when the device is powered on)
• Failed
• Absent

Fan Speed

Speed of the fans: normal or high speed.

Speed is adjusted automatically according to the current temperature.

Name

Chassis component. For J-series devices, the chassis components are the Routing Engine, the Physical Interface Module (PIM) slot number (identified in the display as an FPC), and the PIM number (identified in the display as a PIC).

On J-series devices, an FPC and a PIM are the same physical unit. The PIM number is always 0.

Power Supply Status

Status of the power supply.

Temperature

Temperature of the air passing by the PIM, in degrees Celsius or in both Celsius and Fahrenheit.

Total

Total number of device resources present on the device.

Link Up

Services link is up.

The link between the device and its services module is available.

Link Down

Services link is down.

The link between the device and its services module is unavailable.

Details

Link to the page that monitors the interfaces present on the device.

Click the link to display the page. For a description, see Monitoring the Interfaces for J-series Devices.

Maximum

Maximum number of security resources available on the device.

Configured

Number of security resources configured.

Activated

Number of configured security resources that are activated.

Details

Links to related monitor pages. Click the link to display the page.

• For flow session statistics, see Monitoring Flow Session Statistics
• For security policies, see Monitoring Security Policies
• For IPsec statistics, see Monitoring IPsec VPN Information

Total number of users currently logged into the device.

This number also includes users logged in through the J-Web interface.

User

Username of any user logged into the device.

TTY

Terminal through which the user is logged in.

From

System from which the user has logged in. A hyphen indicates that the user is logged in through the console.

Login Time

Time when the user logged in.

This is the LOGIN@ field in show system users command output.

Idle Time

How long the user has been idle.

Commands

Processes that the user is running.

This is the WHAT field in show system users command output.

System Active Alarms

Total number of active alarms logged on the device.

Received At

Date and time when the alarm condition was detected.

Severity

Alarm severity—either major (red) or minor (yellow).

A major (red) alarm condition requires immediate action. A minor (yellow) condition requires monitoring or maintenance.

Subject

Brief synopsis of the alarm.

Clicking the alarm subject displays a detailed alarm message.

Select Log File

Specifies the name of a system log file for which you want to display the recorded events.

To specify events recorded in a particular file, select the system log filename from the list—for example, messages.

Total Alarms Log

Total number of alarms logged on the device.

Received At

Date and time when the event was detected.

Severity

Severity of events occurring on the device and recorded in the system log. A severity level indicates how seriously the event affects device functions.

The severity levels of events are

• Unknown (gray)—Indicates no severity level is specified.
• Debug/Info/Notice (green)—Indicates conditions that are not errors but are of interest or might warrant special handling.
• Warning (yellow)—Indicates conditions that warrant monitoring.
• Error (blue)—Indicates standard error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels.
• Critical (pink)—Indicates critical conditions, such as hard drive errors
• Alert (orange)—Indicates conditions that require immediate correction, such as a corrupted system database.
• Emergency (red)—Indicates system panic or other conditions that cause the routing platform to stop functioning.

Description

Displays a more detailed explanation of the message.

Process ID

Identifier of the process.

Effective User

Owner of the process.

Command

Command that is currently running.

Terminal

Terminal that is currently running.

Status

Current status of the process.

Sleep state

Sleep state of the process.

Start time

Time of day when the process started.

Caution: Do not install a combination of PIMs in a single chassis that exceeds the maximum power and heat capacity of the chassis. If J-series power management is enabled, PIMs that exceed the maximum power and heat limits remain offline when the chassis is powered on. To check PIM power and heat status, use the show chassis fpc and show chassis power-ratings commands. For more information, see the J Series Services Routers Hardware Guide.

Alarm Time

Date and time the alarm was first recorded.

Alarm Class

Severity class for this alarm: Minor or Major.

JUNOS has system-defined alarms and configurable alarms. System-defined alarms include FRU detection alarms (power supplies removed, for instance) and environmental alarms. The values for these alarms are defined within JUNOS.

Configurable alarms are set in either of the following ways:

• In the J-Web configuration editor, on the Chassis>Alarm>interface-type page
• In the CLI configuration editor, with the alarm statement at the [edit chassis] level of the configuration hierarchy

For details, see Configuring and Monitoring Alarms.

Alarm Description

A brief synopsis of the alarm.

Name

Chassis component. For J-series devices, the chassis components are the Routing Engine and the fans.

Gauge Status

Status of the temperature gauge on the specified hardware component.

Temperature

Temperature of the air flowing past the hardware component.

Fan Status

Status of the fans that are regulated by JUNOS software:

• OK
• Testing (when the device is powered on)
• Failed
• Absent

Status of the fans that are regulated by the SRX-series software:

• Normal
• Intermediate
• High Speed

Fan Speed

Speed of the fans: normal or high speed.

Speed is adjusted automatically according to the current temperature.

Name

Chassis component. For J-series devices, the chassis components are the Routing Engine, the Physical Interface Module (PIM) slot number (identified in the display as an FPC), and the PIM number (identified in the display as a PIC).

For SRX-series devices, the chassis components are the Switch Control Board (SCB), Routing Engine (RE), Application Processing Card (APC), Security Processing Card (SPC), Input/Output Card (IOC), Network Processing Card (NPC), Power Module (PWM), Frond Panel Display (FPD).

On the J-series devices, an FPC and a PIM are the same physical unit. The PIM number is always 0.

Version

Revision level of the specified hardware component.

Supply the version number when reporting any hardware problems to customer support.

Part Number

Part number of the chassis component.

Serial Number

Serial number of the chassis component. The serial number of the backplane is also the serial number of the device chassis.

Use this serial number when you need to contact customer support about the device chassis.

Description

Brief description of the hardware item.

For the J-series PIMs, the description lists the number and type of the ports on the PIM—identified in the display as a PIC.

Slot

FPC or PIM slot number.

On the J-series devices, an FPC and a PIM are the same physical unit.

Note: On the SRX-series services gateway, the CPU and memory utilizations are displayed only if the specified FPC <fpc slot> has the SPU units on it.

State

State of the slot:

• Dead—Held in reset because of errors.
• Diag—Slot is being ignored while the FPC or PIM is running diagnostics.
• Dormant—Held in reset.
• Empty—No FPC or PIM is present.
• Online—FPC or PIM is online and running.
• Probed—Probe is complete. The FPC is awaiting restart of the Packet Forwarding Engine (PFE).
• Probe-wait—The FPC is waiting to be probed.

Note: On the SRX-series services gateway, you can have an FPC state as “offline.” You may want to put an FPC offline because of some error or if the FPC is not responding. You can put the FPC offline by using the CLI command request chassis fpc slot number offline.

Temp (C)

Temperature of the air passing by the FPC, in degrees Celsius.

J-series devices do not monitor and report the temperature of PIMs.

CPU Utilization (%)

Total—Total percentage of CPU being used by the FPC or PIM processor.

Interrupt—Of the total CPU being used by the FPC or PIM processor, the percentage being used for interrupts.

Note: On the SRX-series services gateway, the CPU and memory utilizations are displayed only if the specified FPC <fpc slot> has the Services Processing Unit (SPU) units on it.

Use the show security monitoring fpc <fpc slot> command to monitor the CPU utilization per SPU.

For more information, see the Junos OS CLI Reference.

Memory DRAM (MB)

Total DRAM, in megabytes, available to the FPC or PIM processor.

Utilization (%)

Heap—Percentage of heap space (dynamic memory) being used by the FPC or PIM processor.

Buffer—Percentage of buffer space being used by the FPC or PIM processor for buffering internal messages.

If the heap space utilization exceeds 80 percent, a memory leak might be occurring.

Note: The memory utilization of the SRX-series services gateway is determined by the memory used by the number of SPUs installed in the device.

Use the show security monitoring fpc <fpc slot> command to monitor the memory utilization per SPU.

For more information, see the Junos OS CLI Reference.

Slot

Slot number for the routing engine.

Current State

State of the routing engine.

Note: In the SRX 3400 and SRX 3600 series, there’s only one routing engine. If the state is “offline” the routing engine is powered off.

Temperature

Temperature of the air flowing past the routing engine.

DRAM

Total DRAM, in megabytes, available to the routing engine.

Memory Utilization

Percentage of memory being used by the routing engine.

CPU Utilization

Total percentage of CPU being used by the routing engine:

User—Of the total CPU being used by the CPU, the percentage being used by the user.

Background—Of the total CPU being used by the CPU, the percentage being used by the background.

Kernel—Of the total CPU being used by the CPU, the percentage being used by the kernel.

Interrupt—Of the total CPU being used by the CPP, the percentage being used for interrupts.

Idle—Grace period after ending user sessions.

Model

Model of the routing engine.

Serial ID

Serial number of the routing engine.

Start Time

Time of day when the routing engine was started.

Uptime

Length of time for which the routing engine has been operational.

ioc slot-number

Specify the IOC slot number. Range is 0 through 7 for SRX 3400 devices and 0 through 12 for SRX 3600 devices.

npc slot-number

Specify the NPC slot number. Range is 0 through 7 for SRX 3400 devices and 0 through 12 for SRX 3600 devices.

none

The chassis process maps the connection for the particular IOC.

Note: You must restart the chassis control after you commit the set chassis ioc-npc-connectivity CLI command.

Interface Name

Name of interface.

(See the interface naming conventions in the Junos OS Interfaces and Routing Configuration Guide.)

Click an interface name to see more information about the interface.

Channelized interfaces appear as two interfaces, which can both be monitored. For example:

• If ce1-3/0/0 is configured as a clear channel, you can monitor ce1-3/0/0 and e1-3/0/0.
• If ct1-3/0/1 is channelized, you can monitor ct1-3/0/1 and ds-3/0/1:1.

Oper State

Link state of the interface: Up or Down.

The operational state is the physical state of the interface. If the interface is physically operational, even if it is not configured, the operational state is Up. An operational state of Down indicates a problem with the physical interface.

Admin State

Whether the interface is enabled up (Up) or disabled (Down).

Interfaces are enabled by default. To disable an interface:

• In the J-Web configuration editor, select the Disable check box on the Interfaces>interfaces-name page.
• In the CLI configuration editor, add the disable statement at the [edit interfaces interfaces-name] level of the configuration hierarchy

Description

Configured description for the interface.

State

Link state of the interface: Up or Down.

The operational state is the physical state of the interface. If the interface is physically operational, even if it is not configured, the operational state is Up. An operational state of Down indicates a problem with the physical interface.

Admin State

Whether the interface is enabled up (Up) or disabled (Down).

Interfaces are enabled by default. To disable an interface:

• In the J-Web configuration editor, select the Disable check box on the Interfaces>interfaces-name page.
• In the CLI configuration editor, add the disable statement at the [edit interfaces interfaces-name] level of the configuration hierarchy

MTU

Maximum transmission unit (MTU) size on the physical interface.

Speed

Speed at which the interface is running.

Current Address

Configured media access control (MAC) address.

Hardware Address

Hardware MAC address.

Last Flapped

Date, time, and how long ago the interface changed state from Down to Up.

Active Alarms

List of any active alarms on the interface.

Configure alarms on interfaces as follows:

• In the J-Web configuration editor, on the Chassis>Alarm>interface-type page
• In the CLI configuration editor, with the alarm statement at the [edit chassis] level of the configuration hierarchy

Traffic Statistics

Number of packets and bytes received and transmitted on the physical interface.

Input Errors

Input errors on the interface. (See the following rows of this table for specific error types.)

Drops

Number of packets dropped by the output queue.

If the interface is saturated, this number increments once for every packet that is dropped by the device's random early detection (RED) mechanism.

Framing errors

Sum of ATM Adaptation Layer (AAL5) packets that have frame check sequence (FCS) errors, AAL5 packets that have reassembly timeout errors, and AAL5 packets that have length errors.

Policed discards

Number of packets dropped as a result of routing policies configured on the interface.

Graph

Tab to generate the graph of the interface.

See the interface graphs on Interface Graph for more details.

Refresh interval (min)

Indicates the duration of time after which you want the data on the page to be refreshed.

Interface Name

Name of interface. (See the interface naming conventions in the JUNOS Software Interfaces and Routing Configuration Guide.)

Click an interface name to see more information about the interface.

Admin State

Displays if the interface is enabled (up) or disabled (down).

Interfaces are enabled by default.

Actual State

Displays if the link state of the interface is up or down.

If the interface is physically operational, even if it is not configured, the actual state is up.

If there is a problem with the physical interface, the actual state is down.

Input Bytes

The number of bytes presented for processing by the device.

Output Bytes

The number of bytes actually processed by the device.

Description

The configured description for the interface.

State

Displays if the link state of the interface is up or down.

The operational state is the physical state of the interface. If the interface is physically operational, even if it is not configured, the actual state is up.

If there is a problem with the physical interface, the operational state is down.

Admin State

Displays if the interface is enabled (up) or disabled (down)

Interfaces are enabled by default.

SNMP Index

Displays the SNMP index number for the physical interface.

MTU

Displays the maximum transmission unit size on the physical interface.

Speed

Displays the speed at which the interface is running.

Device flags

Displays the information about the physical device.

Interface flags

Displays the information about the interface.

Loopback

Displays if Loopback status is enabled or disabled.

If loopback is enabled, the type of loopback: Local or Remote.

Source filtering

Displays if Source filtering status is enabled or disabled.

Traffic statistics

Displays the number and rate of bytes and packets received and transmitted on the physical interface.

• Input bytes—Number of bytes received on the interface.
• Output bytes—Number of bytes transmitted on the interface.
• Input packets—Number of packets received on the interface.
• Output packets—Number of packets transmitted on the interface.

Queue counters

Displays the CoS queue number and its associated user-configured forwarding class name.

• Queued packets—Number of queued packets
• Transmitted packets—Number of transmitted packets.
• Dropped packets—Number of packets dropped by the ASIC's RED mechanism.

Ethernet MAC statistics

Displays the Receive and Transmit statistics reported by the PIC's MAC subsystem.

Filter statistics

Displays the Receive and Transmit statistics reported by the PIC's MAC address filter subsystem.

The filtering is done by the content-addressable memory (CAM) on the PIC. The filter examines a packet's source and destination MAC addresses to determine whether the packet should enter the system or be rejected.

Refresh interval (min)

Indicates the duration of time after which you want the graph to be refreshed.

You can choose the duration from the drop-down box.

Graph Counter

Indicates the type of graph you want to view

• Input bytes—Number of bytes received on the interface.
• Output bytes—Number of bytes transmitted on the interface.
• Input packets—Number of packets received on the interface.
• Output packets—Number of packets transmitted on the interface.

X-axis

Indicates the input bytes

Y-axis

Indicates the time interval

Time interval for current time in device is denoted in seconds.

n destinations

Number of destinations for which there are routes in the routing table.

n routes

Number of routes in the routing table:

• active—Number of routes that are active.
• holddown—Number of routes that are in hold-down state (neither advertised nor updated) before being declared inactive.
• hidden—Number of routes not used because of routing policies configured on the device.

Destination

Destination address of the route.

Protocol/ Preference

Protocol from which the route was learned: Static, Direct, Local, or the name of a particular protocol.

The preference is the individual preference value for the route.

The route preference is used as one of the route selection criteria.

Next-Hop

Network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

If a next hop is listed as Discard, all traffic with that destination address is discarded rather than routed. This value generally means that the route is a static route for which the discard attribute has been set.

If a next hop is listed as Reject, all traffic with that destination address is rejected. This value generally means that the address is unreachable. For example, if the address is a configured interface address and the interface is unavailable, traffic bound for that address is rejected.

If a next hop is listed as Local, the destination is an address on the host (either the loopback address or Ethernet management port 0 address, for example).

Age

How long the route has been known.

State

Flags for this route.

There are many possible flags. For a complete description, see the Junos Interfaces Command Reference.

AS Path

AS path through which the route was learned. The letters of the AS path indicate the path origin:

• I — IGP.
• E — EGP.
• ? — Incomplete. Typically, the AS path was aggregated.

Groups

Number of BGP groups.

Peers

Number of BGP peers.

Down Peers

Number of unavailable BGP peers.

Peer

Address of each BGP peer.

InPkt

Number of packets received from the peer,

OutPkt

Number of packets sent to the peer.

Flaps

Number of times a BGP session has changed state from Down to Up.

A high number of flaps might indicate a problem with the interface on which the BGP session is enabled.

Last Up/Down

Last time that a session became available or unavailable, since the neighbor transitioned to or from the established state.

If the BGP session is unavailable, this time might be useful in determining when the problem occurred.

State

A multipurpose field that displays information about BGP peer sessions. The contents of this field depend upon whether a session is established.

• If a peer is not established, the field shows the state of the peer session: Active, Connect, or Idle.
• If a BGP session is established, the field shows the number of active, received, and damped routes that are received from a neighbor. For example, 2/4/0 indicates two active routes, four received routes, and no damped routes.

Peer

Address of the BGP neighbor.

AS

AS number of the peer.

Type

Type of peer: Internal or External.

State

Current state of the BGP session:

• Active—BGP is initiating a TCP connection in an attempt to connect to a peer. If the connection is successful, BGP sends an open message.
• Connect—BGP is waiting for the TCP connection to become complete.
• Established—The BGP session has been established, and the peers are exchanging BGP update messages.
• Idle—This is the first stage of a connection. BGP is waiting for a Start event.
• OpenConfirm—BGP has acknowledged receipt of an open message from the peer and is waiting to receive a keepalive or notification message.
• OpenSent—BGP has sent an open message and is waiting to receive an open message from the peer.

Generally, the most common states are Active, which indicates a problem establishing the BGP conenction, and Established, which indicates a successful session setup. The other states are transition states, and BGP sessions normally do not stay in those states for extended periods of time.

Export

Names of any export policies configured on the peer.

Import

Names of any import policies configured on the peer.

Number of flaps

Number of times the BGP sessions has changed state from Down to Up.

A high number of flaps might indicate a problem with the interface on which the session is established.

Address

Address of the neighbor.

Interface

Interface through which the neighbor is reachable.

State

State of the neighbor: Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2way.

Generally, only the Down state, indicating a failed OSPF adjacency, and the Full state, indicating a functional adjacency, are maintained for more than a few seconds. The other states are transitional states that a neighbor is in only briefly while an OSPF adjacency is being established.

ID

Router ID of the neighbor.

Priority

Priority of the neighbor to become the designated router.

Dead

Number of seconds until the neighbor becomes unreachable.

Interface

Name of the interface running OSPF.

State

State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.

The Down state, indicating that the interface is not functioning, and PtToPt state, indicating that a point-to-point connection has been established, are the most common states.

Area

Number of the area that the interface is in.

DR ID

Address of the area's designated router.

BDR ID

Address of the area's backup designated router.

Nbrs

Number of neighbors on this interface.

Packet Type

Type of OSPF packet.

Total Sent/Total Received

Total number of packets sent and received.

Last 5 seconds Sent/Last 5 seconds Received

Total number of packets sent and received in the last 5 seconds.

Receive errors

Number and type of receive errors.

Rip info

Information about RIP on the specified interface, including UDP port number, hold-down interval (during which routes are neither advertised nor updated), and timeout interval.

Logical interface

Name of the logical interface on which RIP is configured.

Routes learned

Number of RIP routes learned on the logical interface.

Routes advertised

Number of RIP routes advertised on the logical interface.

Neighbor

Name of the RIP neighbor.

This value is the name of the interface on which RIP is enabled. The name is set in either of the following ways:

• In the J-Web configuration editor, on the Protocols>RIP>Group> group-name>Neighbor page
• In the CLI configuration editor, with the neighbor neighbor-name statement at the [edit protocols rip group group-name] level of the configuration hierarchy

State

State of the RIP connection: Up or Dn (Down).

Source Address

Local source address.

This value is the configured address of the interface on which RIP is enabled.

Destination Address

Destination address.

This value is the configured address of the immediate RIP adjacency.

In Met

Value of the incoming metric configured for the RIP neighbor.

Interface

Name of a physical interface to which CoS components are assigned.

To display names of logical interfaces configured on this physical interface, click the plus sign (+).

Scheduler Map

Name of the scheduler map associated with this interface.

Queues Supported

Number of queues you can configure on the interface.

Queues in Use

Number of queues currently configured.

Logical Interface

Name of a logical interface on the physical interface, to which CoS components are assigned.

Object

Category of an object—for example, classifier, scheduler-map, or rewrite.

Name

Name that you have given to an object—for example, ba-classifier.

Type

Type of an object—for example, dscp, or exp for a classifier.

Index

Index of this interface or the internal index of a specific object.

Classifier Name

Name of a classifier.

To display classifier assignments, click the plus sign (+).

CoS Value Type

The classifiers are displayed by type:

• dscp—All classifiers of the DSCP type.
• dscp ipv6—All classifiers of the DSCP IPv6 type.
• exp—All classifiers of the MPLS EXP type.
• ieee-802.1—All classifiers of the IEEE 802.1 type.
• inet-precedence—All classifiers of the IP precedence type.

Index

Internal index of the classifier.

Incoming CoS Value

CoS value of the incoming packets, in bits. These values are used for classification.

Assign to Forwarding Class

Forwarding class that the classifier assigns to an incoming packet. This class affects the forwarding and scheduling policies that are applied to the packet as it transits the device.

Assign to Loss Priority

Loss priority value that the classifier assigns to the incoming packet based on its CoS value.

CoS Value Type

Type of the CoS value:

• dscp—Examines Layer 3 packet headers for IP packet classification.
• dscp ipv6—Examines Layer 3 packet headers for IPv6 packet classification.
• exp—Examines Layer 2 packet headers for MPLS packet classification.
• ieee-802.1—Examines Layer 2 packet header for packet classification.
• inet-precedence—Examines Layer 3 packet headers for IP packet classification.

To display aliases and bit patterns, click the plus sign (+).

CoS Value Alias

Name given to a set of bits—for example, af11 is a name for 001010 bits.

Bit Pattern

Set of bits associated with an alias.

RED Drop Profile Name

Name of the RED drop profile.

A drop profile consists of pairs of values between 0 and 100, one for queue buffer fill level and one for drop probability, that determine the relationship between a buffer's fullness and the likelihood it will drop packets.

To display profile values, click the plus sign (+).

Graph RED Profile

Link to a graph of a RED curve that the system uses to determine the drop probability based on queue buffer fullness.

The x axis represents the queue buffer fill level, and the y axis represents the drop probability.

Type

Type of a specific drop profile:

• interpolated—The two coordinates (x and y) of the graph are interpolated to produce a smooth profile.
• segmented—The two coordinates (x and y) of the graph are represented by line fragments to produce a segmented profile.

For information about types of drop profiles, see the Junos Class of Service Configuration Guide.

Index

Internal index of this drop profile.

Fill Level

Percentage fullness of a buffer queue. This value is the x coordinate of the RED drop profile graph.

Drop Probability

Drop probability of a packet corresponding to a specific queue buffer fill level. This value is the y coordinate of the RED drop profile graph.

Forwarding Class

Names of forwarding classes assigned to queue numbers. By default, the following forwarding classes are assigned to queues 0 through 3:

• best-effort—Provides no special CoS handling of packets. Loss priority is typically not carried in a CoS value, and RED drop profiles are more aggressive.
• expedited-forwarding—Provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service.
• assured-forwarding—Provides high assurance for packets within specified service profile. Excess packets are dropped.
• network-control—Packets can be delayed but not dropped.

Queue

Queue number corresponding to the forwarding class name.

By default, four queues, 0 through 3, are assigned to forwarding classes.

Rewrite Rule Name

Names of rewrite rules.

CoS Value Type

Rewrite rule type:

• dscp—For IPv4 DiffServ traffic.
• dscp-ipv6—For IPv6 DiffServ traffic.
• exp—For MPLS traffic.
• ieee-802.1—For Layer 2 traffic.
• inet-precedence—For IPv4 traffic.

To display forwarding classes, loss priorities, and rewritten CoS values, click the plus sign (+).

Index

Internal index for this particular rewrite rule.

Forwarding Class

Forwarding class that in combination with loss priority is used to determine CoS values for rewriting.

Rewrite rules are applied to CoS values in outgoing packets based on forwarding class and loss priority setting.

Loss Priority

Loss priority that in combination with forwarding class is used to determine CoS values for rewriting.

Rewrite CoS Value To

Value that the CoS value is rewritten to.

Scheduler Map

Name of a scheduler map.

For details, click the plus sign (+).

Index

Index of a specific object—scheduler maps, schedulers, or drop profiles.

Scheduler Name

Name of a scheduler.

Forwarding Class

Forwarding classes this scheduler is assigned to.

Transmit Rate

Configured transmit rate of the scheduler in bits per second (bps). The rate value can be either of the following:

• A percentage—The scheduler receives the specified percentage of the total interface bandwidth.
• remainder—The scheduler receives the remaining bandwidth of the interface after allocation to other schedulers.

Rate Limit

Rate limiting configuration of the queue:

• none—No rate limiting.
• exact—The queue transmits at only the configured rate.

Buffer Size

Delay buffer size in the queue or the amount of transmit delay (in milliseconds). The buffer size can be either of the following:

• A percentage—The buffer is a percentage of the total buffer allocation.
• remainder—The buffer is sized according to what remains after other scheduler buffer allocations.

Priority

Scheduling priority of a queue:

• high—Packets in this queue are transmitted first.
• low—Packets in this queue are transmitted last.
• medium-high—Packets in this queue are transmitted after high-priority packets.
• medium-low—Packets in this queue are transmitted before low-priority packets.

Drop Profiles

Name and index of a drop profile that is assigned to a specific loss priority and protocol pair.

Loss Priority

Packet loss priority corresponding to a drop profile:

• low—Packet has a low loss priority.
• high—Packet has a high loss priority.
• medium-low—Packet has a medium-low loss priority.
• medium-high—Packet has a medium-high loss priority.

Protocol

Transport protocol corresponding to a drop profile.

Drop Profile Name

Name of the drop profile.

Interface

Name of the interface on which MPLS is configured.

State

State of the specified interface: Up or Dn (down).

Administrative groups

Administratively assigned colors of the MPLS link configured on the interface.

Ingress LSP

Information about LSPs on the inbound device. Each session has one line of output.

Egress LSP

Information about the LSPs on the outbound device. Each session has one line of output.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

Transit LSP

Number of LSPs on the transit routers and the state of these paths.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

To

Destination (outbound device) of the session.

From

Source (inbound device) of the session.

State

State of the path. It can be Up, Down, or AdminDn.

AdminDn indicates that the LSP is being taken down gracefully.

Rt

Number of active routes (prefixes) installed in the routing table.

For inbound RSVP sessions, the routing table is the primary IPv4 table (inet.0). For transit and outbound RSVP sessions, the routing table is the primary MPLS table (mpls.0).

Active Path

Name of the active path: Primary or Secondary.

This field is used for inbound LSPs only.

P

An asterisk (*) in this column indicates that the LSP is a primary path.

This field is used for inbound LSPs only.

LSPname

Configured name of the LSP.

Style

RSVP reservation style. This field consists of two parts. The first is the number of active reservations. The second is the reservation style, which can be FF (fixed filter), SE (shared explicit), or WF (wildcard filter).

This field is used for outbound and transit LSPs only.

Labelin

Incoming label for this LSP.

Labelout

Outgoing label for this LSP.

Total

Total number of LSPs displayed for the particular type—ingress (inbound), egress (outbound), or transit.

Note: Statistics are not available for LSPs on the outbound device, because the penultimate device in the LSP sets the label to 0. Also, as the packet arrives at the outbound device, the hardware removes its MPLS header and the packet reverts to being an IPv4 packet. Therefore, it is counted as an IPv4 packet, not an MPLS packet.

Ingress LSP

Information about LSPs on the inbound device. Each session has one line of output.

Egress LSP

Information about the LSPs on the outbound device. Each session has one line of output.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

Transit LSP

Number of LSPs on the transit routers and the state of these paths.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

To

Destination (outbound device) of the session.

From

Source (inbound device) of the session.

State

State of the path: Up, Down, or AdminDn.

AdminDn indicates that the LSP is being taken down gracefully.

Packets

Total number of packets received on the LSP from the upstream neighbor.

Bytes

Total number of bytes received on the LSP from the upstream neighbor.

LSPname

Configured name of the LSP.

Total

Total number of LSPs displayed for the particular type—ingress (inbound), egress (outbound), or transit.

Ingress LSP

Information about inbound RSVP sessions. Each session has one line of output.

Egress LSP

Information about outbound RSVP sessions. Each session has one line of output.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

Transit LSP

Information about transit RSVP sessions.

MPLS learns this information by querying RSVP, which holds all the transit and outbound session information.

To

Destination (outbound device) of the session.

From

Source (inbound device) of the session.

State

State of the path: Up, Down, or AdminDn.

AdminDn indicates that the LSP is being taken down gracefully.

Rt

Number of active routes (prefixes) installed in the routing table.

For inbound RSVP sessions, the routing table is the primary IPv4 table (inet.0). For transit and outbound RSVP sessions, the routing table is the primary MPLS table (mpls.0).

Style

RSVP reservation style. This field consists of two parts. The first is the number of active reservations. The second is the reservation style, which can be FF (fixed filter), SE (shared explicit), or WF (wildcard filter).

This field is used for outbound and transit LSPs only.

Labelin

Incoming label for this RSVP session.

Labelout

Outgoing label for this RSVP session.

LSPname

Configured name of the LSP.

Total

Total number of RSVP sessions displayed for the particular type—ingress (inbound), egress (outbound), or transit).

RSVP Interface

Number of interfaces on which RSVP is active. Each interface has one line of output.

Interface

Name of the interface.

State

State of the interface:

• Disabled—No traffic engineering information is displayed.
• Down—The interface is not operational.
• Enabled—Displays traffic engineering information.
• Up—The interface is operational.

Active resv

Number of reservations that are actively reserving bandwidth on the interface.

Subscription

User-configured subscription factor.

Static BW

Total interface bandwidth, in bits per second (bps).

Available BW

Amount of bandwidth that RSVP is allowed to reserve, in bits per second (bps). It is equal to (static bandwidth X subscription factor).

Reserved BW

Currently reserved bandwidth, in bits per second (bps).

Highwater mark

Highest bandwidth that has ever been reserved on this interface, in bits per second (bps).

Graph

Click the Graph link to display the graph (if it is not already displayed) or to update the graph for a particular test.

Owner

Configured owner name of the RPM test.

Test Name

Configured name of the RPM test.

Probe Type

Type of RPM probe configured for the specified test. Following are valid probe types:

• http-get
• http-get-metadata
• icmp-ping
• icmp-ping-timestamp
• tcp-ping
• udp-ping

Target Address

IP address or URL of the remote server that is being probed by the RPM test.

Source Address

Explicitly configured source address that is included in the probe packet headers.

If no source address is configured, the RPM probe packets use the outgoing interface as the source address, and the Source Address field is empty.

Minimum RTT

Shortest round-trip time from the Services Router to the remote server, as measured over the course of the test.

Maximum RTT

Longest round-trip time from the Services Router to the remote server, as measured over the course of the test.

Average RTT

Average round-trip time from the Services Router to the remote server, as measured over the course of the test.

Standard Deviation RTT

Standard deviation of round-trip times from the Services Router to the remote server, as measured over the course of the test.

Probes Sent

Total number of probes sent over the course of the test.

Loss Percentage

Percentage of probes sent for which a response was not received.

Samples

Total number of probes used for the data set.

The Services Router maintains records of the most recent 50 probes for each configured test. These 50 probes are used to generate RPM statistics for a particular test.

Earliest Sample

System time when the first probe in the sample was received.

Latest Sample

System time when the last probe in the sample was received.

Mean Value

Average round-trip time for the 50–probe sample.

Standard Deviation

Standard deviation of the round-trip times for the 50–probe sample.

Lowest Value

Shortest round-trip time from the device to the remote server, as measured over the 50–probe sample.

Time of Lowest Sample

System time when the lowest value in the 50–probe sample was received.

Highest Value

Longest round-trip time from the Services Router to the remote server, as measured over the 50–probe sample.

Time of Highest Sample

System time when the highest value in the 50–probe sample was received.

Samples

Total number of probes used for the data set.

The Services Router maintains records of the most recent 50 probes for each configured test. These 50 probes are used to generate RPM statistics for a particular test.

Earliest Sample

System time when the first probe in the sample was received.

Latest Sample

System time when the last probe in the sample was received.

Mean Value

Average jitter for the 50-probe sample.

Standard Deviation

Standard deviation of the jitter values for the 50-probe sample.

Lowest Value

Smallest jitter value, as measured over the 50-probe sample.

Time of Lowest Sample

System time when the lowest value in the 50-probe sample was received.

Highest Value

Highest jitter value, as measured over the 50-probe sample.

Time of Highest Sample

System time when the highest jitter value in the 50-probe sample was received.

Note: PPP monitoring information is available only in the CLI. The J-Web interface does not include pages for displaying PPP monitoring information.

Interface

Name of the PPPoE interface.

(See the interface naming conventions in the Junos OS Interfaces and Routing Configuration Guide.)

Click the interface name to display PPPoE information for the interface.

State

State of the PPPoE session on the interface.

Session ID

Unique session identifier for the PPPoE session.

To establish a PPPoE session, first the device acting as a PPPoE client obtains the Ethernet address of the PPPoE server or access concentrator, and then the client and the server negotiate a unique session ID. This process is refereed as PPPoE active discovery and is made up of four steps: initiation, offer, request, and session confirmation. The access concentrator generates the session ID for session confirmation and sends it to the PPPoE client in a PPPoE Active Discovery Session-Confirmation (PADS) packet.

Service Name

Type of service required from the access concentrator.

Service Name identifies the type of service provided by the access concentrator, such as the name of the Internet service provider (ISP), class, or quality of service.

Configured AC Name

Configured access concentrator name.

Session AC Names

Name of the access concentrator.

AC MAC Address

Media access control (MAC) address of the access concentrator.

Session Uptime

Number of seconds the current PPPoE session has been running.

Auto-Reconnect Timeout

Number of seconds to wait before reconnecting after a PPPoE session is terminated.

Idle Timeout

Number of seconds a PPPoE session can be idle without disconnecting.

Underlying Interface

Name of the underlying logical Ethernet or ATM interface on which PPPoE is running—for example, ge-0/0/0.1.

Active PPPoE Sessions

Total number of active PPPoE sessions.

Packet Type

Packets sent and received during the PPPoE session, categorized by packet type and packet error:

• PADI—PPPoE Active Discovery Initiation packets.
• PADO—PPPoE Active Discovery Offer packets.
• PADR—PPPoE Active Discovery Request packets.
• PADS—PPPoE Active Discovery Session-Confirmation packets.
• PADT—PPPoE Active Discovery Terminate packets.
• Service Name Error—Packets for which the Service-Name request could not be honored.
• AC System Error—Packets for which the access concentrator experienced an error in processing the host request. For example, the host had insufficient resources to create a virtual circuit.
• Generic Error—Packets that indicate an unrecoverable error occurred.
• Malformed Packet—Malformed or short packets that caused the packet handler to disregard the frame as unreadable.
• Unknown Packet—Unrecognized packets.

Sent

Number of the specific type of packet sent from the PPPoE client.

Received

Number of the specific type of packet received by the PPPoE client.

Timeout

Information about the timeouts that occurred during the PPPoE session.

• PADI—Number of timeouts that occurred for the PADI packet.
• PADO—Number of timeouts that occurred for the PADO packet. (This value is always 0 and is not supported.
• PADR—Number of timeouts that occurred for the PADR packet.

Sent

Number of the timeouts that occurred for PADI, PADO, and PADR packets.

Maximum Sessions

Maximum number of active PPPoE sessions the device can support. The default is 256 sessions.

PADI Resend Timeout

Initial time, (in seconds) the device waits to receive a PADO packet for the PADI packet sent—for example, 2 seconds. This timeout doubles for each successive PADI packet sent.

The PPPoE Active Discovery Initiation (PADI) packet is sent to the access concentrator to initiate a PPPoE session. Typically, the access concentrator responds to a PADI packet with a PPPoE Active Discovery Offer (PADO) packet. If the access concentrator does not send a PADO packet, the device sends the PADI packet again after timeout period is elapsed. The PADI Resend Timeout doubles for each successive PADI packet sent. For example, if the PADI Resend Timeout is 2 seconds, the second PADI packet is sent after 2 seconds, the third after 4 seconds, the fourth after 8 seconds, and so on.

PADR Resend Timeout

Initial time (in seconds) the device waits to receive a PADS packet for the PADR packet sent. This timeout doubles for each successive PADR packet sent.

The PPPoE Active Discovery Request (PADR) packet is sent to the access concentrator in response to a PADO packet, and to obtain the PPPoE session ID. Typically, the access concentrator responds to a PADR packet with a PPPoE Active Discovery Session-Confirmation (PADS) packet, which contains the session ID. If the access concentrator does not send a PADS packet, the device sends the PADR packet again after the PADR Resend Timeout period is elapsed. The PADR Resend Timeout doubles for each successive PADR packet sent.

Maximum Resend Timeout

Maximum value (in seconds) that the PADI or PADR resend timer can accept—for example, 64 seconds. The maximum value is 64.

Maximum Configured AC Timeout

Time (in seconds), within which the configured access concentrator must respond.

Call Leg

Call length identifier.

Zone

Client zone identifier.

RM Group

Resource manager group identifier.

Local Tag

Local tag for the SIP ALG User Agent server.

Remote Tag

Remote tag for the SIP ALG User Agent server.

INVITE

Number of INVITE requests sent.

An INVITE request is sent to invite another user to participate in a session.

CANCEL

Number of CANCEL requests sent.

A user can send a CANCEL request to cancel a pending INVITE request. A CANCEL request has no effect if the SIP server processing the INVITE had sent a final response for the INVITE before it received the CANCEL.

ACK

Number of ACK requests sent.

The user from whom the INVITE originated sends an ACK request to confirm reception of the final response to the INVITE request.

BYE

Number of BYE requests sent.

A user sends a BYE request to abandon a session. A BYE request from either user automatically terminates the session.

REGISTER

Number of REGISTER requests sent.

A user sends a REGISTER request to a SIP registrar server to inform it of the current location of the user. A SIP registrar server records all the information it receives in REGISTER requests and makes this information available to any SIP server attempting to locate a user.

OPTIONS

Number of OPTIONS requests sent.

An OPTION message is used by the User Agent (UA) to obtain information about the capabilities of the SIP proxy. A server responds with information about what methods, session description protocols, and message encoding it supports.

INFO

Number of INFO requests sent.

An INFO message is used to communicate mid-session signaling information along the signaling path for the call.

MESSAGE

Number of MESSAGE requests sent.

SIP messages consist of requests from a client to a server and responses to the requests from a server to a client with the purpose of establishing a session (or a call).

NOTIFY

Number of NOTIFY requests sent.

A NOTIFY message is sent to inform subscribers of changes in state to which the subscriber has a subscription.

REFER

Number of REFER requests sent.

A REFER request is used to refer the recipient (identified by the Request-URI) to a third party by the contact information provided in the requst.

SUBSCRIBE

Number of SUBSCRIBE requests sent.

A SUBSCRIBE request is used to request current state and state updates from a remote node.

UPDATE

Number of UPDATE requests sent.

An UPDATE request is used to create a temporary opening in the firewall (pinhole) for new or updated Session Description Protocol (SDP) information. The following header fields are modified: Via, From, To, Call-ID, Contact, Route, and Record-Route.

Total Pkt-in

SIP ALG total packets received.

Total Pkt dropped on error

Number of packets dropped by the SIP ALG.

Transaction error

SIP ALG transaction errors.

Call error

SIP ALG call errors.

IP resolve error

SIP ALG IP address resolution errors.

NAT error

SIP ALG NAT errors.

Resource manager error

SIP ALG resource manager errors.

RR header exceeded max

Number of times the SIP ALG RR (Record-Route) headers exceeded the maximum limit.

Contact header exceeded max

Number of times the SIP ALG contact header exceeded the maximum limit.

Call dropped due to limit

SIP ALG calls dropped because of call limits.

SIP stack error

SIP ALG stack errors.

CPU ticks per microseconds is

SIP ALG CPU ticks per microsecond.

Time taken for the last message in microseconds is

Time, in microseconds, that the last SIP ALG message needed to transit the network.

Number of messages in 10 minutes

Total number of SIP ALG messages transiting the network in 10 minutes.

Time taken by the messages in 10 minutes

Total time, in microseconds, during an interval of less than 10 minutes for the specified number of SIP ALG messages to transit the network.

Rate

Number of SIP ALG messages per second transiting the network.

Transaction Name

• UAS—SIP ALG User Agent server transaction name.
• UAC—SIP ALG User Agent client transaction name.

Method

The method to be performed on the resource. Possible methods:

• INVITE—Initiate call
• ACK—Confirm final response
• BYE—Terminate and transfer call
• CANCEL—Cancel searches and "ringing"
• OPTIONS—Features support by other side
• REGISTER—Register with location service

Packets received

Number of H.323 ALG packets received.

Packets dropped

Number of H.323 ALG packets dropped.

RAS message received

Number of incoming RAS (Endpoint Registration, Admission, and Status) messages per second per gatekeeper received and processed.

Q.931 message received

Counter for Q.931 message received.

H.245 message received

Counter for H.245 message received.

Number of calls

Total number of H.323 ALG calls.

Number of active calls

Number of active H.323 ALG calls.

This counter displays the number of call legs and may not display the exact number of voice calls that are active. For instance, for a single active voice call between two endpoints, this counter might display a value of 2.

Decoding errors

Number of decoding errors.

Message flood dropped

Error counter for message flood dropped.

NAT errors

H.323 ALG Network Address Translation (NAT) errors.

Resource manager errors

H.323 ALG resource manager errors.

Endpoint@GW

Endpoint name.

Zone

• trust—Trust zone.
• untrust—Untrust zone.

Call ID

Call identifier for ALG MGCP.

RM Group

Resource manager group ID.

Call Duration

Duration for which connection is active.

Connection Id

Connection identifier for MGCP ALG calls.

Local SDP

IP address of the MGCP ALG local call owner, as per the Session Description Protocol (SDP).

Remote SDP

Remote IP address of the MGCP ALG remote call owner, as per the Session Description Protocol (SDP).

Packets received

Number of MGCP ALG packets received.

Packets dropped

Number of MGCP ALG packets dropped.

Message received

Number of MGCP ALG messages received.

Number of connections

Number of MGCP ALG connections.

Number of active connections

Number of active MGCP ALG connections.

Number of calls

Number of MGCP ALG calls.

Number of active calls

Number of MGCP ALG active calls.

Number of active transactions

Number of active transactions.

Number of re-transmission

Number of MGCP ALG retransmissions.

Unknown-method

MGCP ALG unknown method errors.

Decoding error

MGCP ALG decoding errors.

Transaction error

MGCP ALG transaction errors.

Call error

MGCP ALG counter errors.

Connection error

MGCP ALG connection errors.

Connection flood drop

MGCP ALG connection flood drop errors.

Message flood drop

MGCP ALG message flood drop error.

IP resolve error

MGCP ALG IP address resolution errors.

NAT error

MGCP ALG Network Address Translation (NAT) errors.

Resource manager error

MGCP ALG resource manager errors.

Gateway

IP address of the gateway.

Zone

• trust—Trust zone.
• untrust—Untrust zone.

IP

IP address.

Endpoint

Endpoint name.

Transaction #

Transaction identifier.

Call #

Call identifier.

Notified Entity

The certificate authority (CA) currently controlling the gateway.

Client IP

IP address of the client.

Zone

Client zone identifier.

Call Manager

IP address of the call manager.

Conference ID

Conference call identifier.

RM Group

Resource manager group identifier.

Clients currently registered

Number of SCCP ALG clients currently registered.

Active calls

Number of active SCCP ALG calls.

Total calls

Total number of SCCP ALG calls.

Packets received

Number of SCCP ALG packets received.

PDUs processed

Number of SCCP ALG protocol data units (PDUs) processed.

Current call rate

Number of calls per second.

Packets dropped

Number of packets dropped by the SCCP ALG.

Decode errors

SCCP ALG decoding errors.

Protocol errors

Number of protocol errors.

Address translation errors

Number of Network Address Translation (NAT) errors encountered by SCCP ALG.

Policy lookup errors

Number of packets dropped because of a failed policy lookup.

Unknown PDUs

Number of unknown protocol data units (PDUs).

Maximum calls exceed

Number of times the maximum SCCP calls limit was exceeded.

Maximum call rate exceed

Number of times the maximum SCCP call rate exceeded.

Initialization errors

Number of initialization errors.

Internal errors

Number of internal errors.

Unsupported feature

Number of unsupported feature errors.

Non specific error

Number of nonspecific errors.

Default policy

Actions the device takes on a packet that does not match any user-defined policy:

• permit-all—Permit all traffic that does not match a policy.
• deny-all—Deny all traffic that does not match a policy. Packets are dropped. This is the default.

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Policy Name

Name of the policy.

Source Address

Names of the source addresses for a policy. Address sets are resolved to their individual names. (In this case, only the names are given, not their IP address).

Destination Address

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

Action

Action taken in regard to a packet that matches the policy’s tuples, or match conditions. Actions include the following:

• permit
• IPsec-VPN tunnel vpn-name
• pair-policy pair-policy-name
• source-nat pool pool-name
• interface
• pool-set pool-set-name
• destination-nat name
• firewall-authentication
• pass-through
• web-authentication
• deny
• reject
• count
• log

State

Status of the policy:

• enabled—The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
• disabled—The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Index

An internal number associated with the policy.

Sequence Number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4.

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Action Type

Action taken in regard to a packet that matches the policy’s tuples, or match criteria. Actions include the following:

• permit
• IPsec-VPN tunnel vpn-name
• pair-policy pair-policy-name
• source-nat pool pool-name
• interface
• pool-set pool-set-name
• destination-nat name
• firewall-authentication
• pass-through
• web-authentication
• deny
• reject
• count
• log

State

Status of the policy:

• enabled—The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
• disabled—The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Source addresses

Names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination addresses

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

Applications

Name of a pre-configured or custom application whose type the packet matches, as specified at configuration time.

• IP protocol—The IP protocol used by the application—for example, TCP, UDP, ICMP.
• ALG—If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
• Inactivity timeout—Elapsed time without activity after which the application is terminated.
• Source port range—The low-high source port range for the session application.
• Destination port range—The low-high destination port range for the session application.

Session log

Indicates whether the at-create and at-close flags were set at configuration time to log session information.

Scheduler name

Name of a preconfigured scheduler whose schedule determines when the policy is active (or inactive). The device can use an active policy to check an incoming packet to determine how to treat the packet.

Policy Statistics

Policy statistics include the following:

• Input bytes—The number of bytes presented for processing by the device.
• Output bytes—The number of bytes actually processed by the device.
• Input packets—The number of packets presented for processing by the device.
• Output packets—The number of packets actually processed by the device.

Session Statistics

Session statistics include the following:

• Session creations—The number of sessions created since system startup.
• Active sessions—The number of sessions currently present because of access control lookups that used this policy.
• Session deletions—The number of sessions deleted since system startup.

Policy lookups

Number of times the policy was accessed to check for a match.

IKE SA Index

Index number of an SA.

This number is an internally generated number you can use to display information about a single SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the IKE security associations:

• DOWN—SA has not been negotiated with the peer.
• UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Mode

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

• Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
• Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKE Peer

IP address of the destination peer with which the local peer communicates.

IKE SA Index

Index number of an SA.

This number is an internally generated number you can use to display information about a single SA.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE security associations:

• DOWN—SA has not been negotiated with the peer.
• UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Exchange Type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

• Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
• Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.

Authentication Method

Path chosen for authentication.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithm

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

• Authentication—Type of authentication algorithm used.
  • sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
  • md5—MD5 authentication.
• Encryption—Type of encryption algorithm used.
  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
  • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption.
  • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption.
  • 3des-cbc—3 Data Encryption Standard (DES) encryption.
  • des-cbc—Data Encryption Standard (DES) encryption.
  • Pseudo random function—Cryptographically secure pseudo random function family.

Traffic Statistics

Traffic statistics include the following:

• Input bytes—The number of bytes presented for processing by the device.
• Output bytes— The number of bytes actually processed by the device.
• Input packets— The number of packets presented for processing by the device.
• Output packets— The number of packets actually processed by the device.

IPsec security associations

• number created—The number of SAs created.
• number deleted—The number of SAs deleted.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

Message ID

Message identifier.

Local identity

Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

Remote identity

IPv4 address of the destination peer gateway.

Total configured SA

Total number of IPsec security associations (SAs) configured on the device.

ID

Index number of the SA.

Gateway

IP address of the remote gateway.

Port

If Network Address Translation (NAT-T) is used, this value is 4500. Otherwise it is the standard IKE port, 500.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations:

• An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-95, or hmac-sha1-96.
• An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Sta

State has two options, Installed and Not Installed.

• Installed—The security association is installed in the security association database.
• Not Installed—The security association is not installed in the security association database.

For transport mode, the value of State is always Installed.

Vsys

The root system.

ESP Statistics

Encapsulation Security Protocol (ESP) statistics include the following:

• Encrypted bytes—Total number of bytes encrypted by the local system across the IPsec tunnel.
• Decrypted bytes— Total number of bytes decrypted by the local system across the IPsec tunnel.
• Encrypted packets—Total number of packets encrypted by the local system across the IPsec tunnel.
• Decrypted packets—Total number of packets decrypted by the local system across the IPsec tunnel.

AH Statistics

Authentication Header (AH) statistics include the following:

• Input bytes—The number of bytes presented for processing by the device.
• Output bytes— The number of bytes actually processed by the device.
• Input packets— The number of packets presented for processing by the device.
• Output packets—The number of packets actually processed by the device.

Errors

Errors include the following

• AH authentication failures—Total number of authentication header (AH) failures. An AH failure occurs when there is a mismatch of the authentication header in a packet transmitted across an IPsec tunnel.
• Replay errors—Total number of replay errors. A replay error is generated when a duplicate packet is received within the replay window.
• ESP authentication failures—Total number of Encapsulation Security Payload (ESP) failures. An ESP failure occurs when there is an authentication mismatch in ESP packets.
• ESP decryption failures—Total number of ESP decryption errors.
• Bad headers—Total number of invalid headers detected.
• Bad trailers—Total number of invalid trailers detected.

Virtual System

The root system.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Local identity

Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

Remote identity

IPv4 address of the destination peer gateway.

Df bit

State of the don’t fragment bit—set or cleared.

Policy name

Name of the applicable policy.

Direction

Direction of the security association—inbound, or outbound.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Mode

Mode of the security association. Mode can be transport or tunnel.

• transport—Protects host-to-host connections.
• tunnel—Protects connections between security gateways.

Type

Type of the security association, either manual, or dynamic.

• manual—Security parameters require no negotiation. They are static and are configured by the user.
• dynamic—Security parameters are negotiated by the IKE protocol. Dynamic security associations are not supported in transport mode.

State

State has two options, Installed, and Not Installed.

• Installed—The security association is installed in the security association database.
• Not Installed—The security association is not installed in the security association database.

For transport mode, the value of State is always Installed.

Protocol

Protocol supported:

• Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).
• Tunnel mode supports ESP and AH.
  • Authentication—Type of authentication used.
  • Encryption—Type of encryption used.

Authentication/ Encryption

• Authentication—Type of authentication algorithm used.
  • sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
  • md5—MD5 authentication.
• Encryption—Type of encryption algorithm used.
  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
  • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption
  • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption.
  • 3des-cbc—3 Data Encryption Standard (DES) encryption.
  • des-cbc—Data Encryption Standard (DES) encryption.

Soft Lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

• Expires in seconds—Number of seconds left until the SA expires.
• Expires in kilobytes—Number of kilobytes left until the SA expires.

Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires.

Hard Lifetime

The hard lifetime specifies the lifetime of the SA.

• Expires in seconds—Number of seconds left until the SA expires.
• Expires in kilobytes—Number of kilobytes left until the SA expires.

Anti Replay Service

State of the service that prevents packets from being replayed. It can be Enabled, or Disabled.

Replay Window Size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

Total users in table

Number of users in the authentication table.

ID

Authentication identification number.

Source Ip

IP address of the authentication source.

Age

Idle timeout for the user.

Status

Status of authentication (success, or failure).

user

Name of the user.

Source Zone

Name of the source zone.

Destination Zone

Name of the destination zone.

profile

Name of the profile.

Users information.

Authentication method

Path chosen for authentication.

Policy Id

Policy Identifier.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Entries from Source IP

IP address of the authentication source.

Source Zone

Name of the source zone.

Destination Zone

Name of the destination zone.

profile

Name of the profile.

Age

Idle timeout for the user.

Status

Status of authentication (success, or failure).

user

Name of the user.

Authentication method

Path chosen for authentication.

Policy Id

Policy Identifier.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Total authentications

Number of authentication.

ID

Identification number.

Source Ip

IP address of the authentication source.

Start Date

Authentication date.

Start Time

Authentication time.

Duration

Authentication duration.

Status

Status of authentication (success, or failure).

User

Name of the user.

Authentication method

Path chosen for authentication.

Policy Id

Security policy identifier.

Source zone

Name of the source zone.

Destination Zone

Name of the destination zone.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

User

Name of the user.

Start Date

Authentication date.

Start Time

Authentication time.

Duration

Authentication duration.

Status

Status of authentication (success, or failure).

Profile

Name of the profile.

Authentication method

Path chosen for authentication.

Policy Id

Security policy identifier.

Source zone

Name of the source zone.

Destination Zone

Name of the destination zone.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

In use

Number of entries in the NAT table.

Maximum

Maximum number of entries possible in the NAT table.

Entry allocation failed

Number of entries failed for allocation.

Destination

Destination IP address and port number.

Host

Host IP address and port number that the destination IP address is mapped to.

References

Number of sessions referencing the entry.

Timeout

Timeout, in seconds, of the entry in the NAT table.

Source-pool

Name of source pool where translation is allocated.

Pool Index

Port pool index.

Total Ports

Total number of ports in a port pool.

Single Ports Allocated

Number of ports allocated one at a time that are in use.

Single Ports Available

Number of ports allocated one at a time that are free for use.

Twin Ports Allocated

Number of ports allocated two at a time that are in use.

Twin Ports Available

Number of ports allocated two at a time that are free for use.

Pool Name

Name of the source pool.

Address Low

Starting IP address of one address range in the source pool.

Address High

Ending IP address of one address range in the source pool.

Interface

Name of the interface on which the source pool is defined.

PAT

Whether Port Address Translation (PAT) is enabled (Yes, or No).

Address

IP address in the source pool.

Interface

Name of the interface on which the source pool is defined.

Status

Status of the IP address:

• Active—Denotes that the IP address is in use. This status applies only to source NAT without Port Address Translation (PAT).
• Free—IP address is available for allocation.

Single Ports

Number of allocated single ports.

Twin Ports

Number of allocated twin ports.

PAT

Whether PAT is enabled (Yes, or No).

Total mappings

Number of static NAT entries in the table.

Maximum

Maximum number of static NAT entries possible.

Ingress interface

Name of the interface on which static NAT is defined.

Destination

Destination IP address and subnet mask.

Host

Host IP address and subnet mask mapped to the destination IP address and subnet mask.

Virtual router

Name of the virtual router that performs route lookup for the host IP address and subnet mask.

ICMP Flood

Internet Control Message Protocol (ICMP) flood counter.

An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

UDP Flood

User Datagram Protocol (UDP) flood counter.

UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.

TCP Winnuke

Number of Transport Control Protocol (TCP) WinNuke attacks.

WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows.

TCP Port Scan

Number of TCP port scans.

The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

ICMP Address Sweep

Number of ICMP address sweeps.

An IP address sweep can occur with the intent of triggering responses from active hosts.

IP Tear Drop

Number of teardrop attacks.

Teardrop attacks exploit the reassembly of fragmented IP packets.

TCP SYN Attack

Number of TCP SYN attacks.

IP Spoofing

Number of IP spoofs.

IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source.

ICMP Ping of Death

ICMP ping of death counter.

Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

IP Source Route

Number of IP source route attacks.

TCP Land Attack

Number of land attacks.

Land attacks occur when attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

TCP SYN Fragment

Number of TCP SYN fragments.

TCP No Flag

Number of TCP headers without flags set.

A normal TCP segment header has at least one control flag set.

IP Unknown Protocol

Number of unknown Internet protocols.

IP Bad Options

Number of invalid options.

IP Record Route Option

Number of packets with the IP record route option enabled.

This option records the IP addresses of the network devices along the path that the IP packet travels.

IP Timestamp Option

Number of IP timestamp option attacks.

This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.

IP Security Option

Number of IP security option attacks.

IP Loose route Option

Number of IP loose route option attacks.

This option specifies a partial route list for a packet to take on its journey from source to destination.

IP Strict Source Route Option

Number of IP strict source route option attacks.

This option specifies the complete route list for a packet to take on its journey from source to destination.

IP Stream Option

Number of stream option attacks.

This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams.

ICMP Fragment

Number of ICMP fragments.

Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

ICMP Large Packet

Number of large ICMP packets.

TCP SYN FIN Packet

Number of TCP SYN FIN packets.

TCP FIN without ACK

Number of TCP FIN flags without the acknowledge (ACK) flag.

TCP SYN-ACK-ACK Proxy

Number of TCP flags enabled with SYN-ACK-ACK.

To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, JUNOS software rejects further connection requests from that IP address.

IP Block Fragment

Number of IP block fragments.

Unicast-sessions

Total number of active unicast sessions.

Multicast-sessions

Total number of active multicast sessions.

Failed-sessions

Total number of failed sessions.

Active-sessions

Total number of active sessions.

Maximum-sessions

Maximum number of supported sessions.

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

Resource information

Information about the session particular to the resource manager, including the name of the ALG, the group ID. and the resource ID.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Status

Session status.

Flag

Internal flag depicting the state of the session, used for debugging purposes.

Virtual system

Virtual system to which the session belongs.

Policy name

Name and ID of the policy that the first packet of the session matched.

Maximum timeout

Maximum session timeout.

Current timeout

Remaining time for the session unless traffic exists in the session.

Start time

Time when the session was created, offset from the system start time.

Duration

Length of time for which the session is active.

In

For the input flow:

• Source and destination addresses and protocol tuple for the input flow.
• Interface: input flow interface.
• Session token: Internal token derived from the virtual routing instance.
• Flag: Internal debugging flags.
• Route: Internal next hop of the route to be used by the flow.
• Gateway: Next-hop gateway of the flow.
• Tunnel: If the flow is going into a tunnel, the tunnel ID. Otherwise, 0 (zero).
• Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.

Out

For the reverse flow:

• Source and destination addresses and protocol tuple for the input flow.
• Interface: input flow interface.
• Session token: Internal token derived from the virtual routing instance.
• Flag: Internal debugging flags.
• Route: Internal next hop of the route to be used by the flow.
• Gateway: Next-hop gateway of the flow.
• Tunnel: If the flow is going into a tunnel, the tunnel ID. Otherwise, 0 (zero).
• Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Out

Reverse flow (source and destination IP addresses, application protocol, and interface).

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Policy name

Policy that permitted the traffic.

Timeout

Idle timeout after which the session expires.

In

Incoming flow (source and destination IP addresses, application protocol, and interface).

Hole

Range of flows permitted by the pinhole.

Translated

Tuples used to create the session if it matches the pinhole:

• Source address and port
• Destination address and port

Protocol

Application protocol, such as UDP or TCP.

Application

Name of the application.

Age

Idle timeout for the pinhole.

Flags

Internal debug flags for pinhole.

Zone

Incoming zone.

Reference count

Number of resource-manager references to the pinhole.

Resource

Resource manager information about the pinhole.

BOOTP Lease Length

Length of the BOOTP lease.

Server Identifier

IP address of the name server.

Name Server

IP address of the name server.

Router

IP address of the name router.

Domain Name

Name of the domain.

Default Lease Time

Lease time assigned to clients that do not request a specific lease time.

Minimum Lease Time

Minimum time a client can retain an IP address lease on the server.

Maximum Lease Time

Maximum time a client can retain an IP address lease on the server.

Total Dropped packets

Total number of packets dropped and the number of packets dropped due to a particular condition.

Messages Received

Number of BOOTREQUEST, DHCPDECLINE, DHCPINFORM, DHCPRELEASE, and DHCPREQUEST messages sent from DHCP clients and received by the DHCP server.

Messages Sent

Number of BOOTREPLY, DHCPOFFER, DHCPACK, and DHCPNAK messages sent from the DHCP server to DHCP clients.

IP Address

List of IP addresses the DHCP server has assigned to clients.

Hardware Address

Corresponding media access control (MAC) address of the client.

Type

Type of binding assigned to the client: dynamic or static.

Lease Expires at

Date and time the lease expires, or never for leases that do not expire.

Detection Time

Date and time the client detected the conflict.

Detection Method

How the conflict was detected.

Only client-detected conflicts are displayed.

IP Address

IP address where the conflict occured.

The address in the conflicts list remain excluded until you use the clear system services dhcp command to manually clear the list.

Interface

Name of the logical interface.

Obtained at

Date and time the lease was obtained.

Hardware Address

MAC address of the interface.

Status

State of the client binding.

Address obtained

IP address obtained from the DHCP server.

Update Server

Displayed if the propagation of TCP/IP settings are enabled on the specified interface (if it is acting as a DHCP client) to the DHCP server configured on the device.

Lease obtained at

Date and time the lease was obtained.

Lease Expires at

Date and time the lease expires.

Received Packets

Total DHCP packets received.

Forwarded Packets

Total DHCP packet forwarded.

Dropped packets

Total DHCP packets dropped for the following reasons:

• Missing interface in the relay database
• Missing matching routing instance
• Error during packet read
• Error during packet send
• Invalid server address
• Missing valid local address
• Missing route to the server or client

Context ID

An internally generated identifier.

Enabled Protocol

Spanning tree protocol type enabled.

Root ID

Bridge ID of the elected spanning tree root bridge.

The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.

Bridge ID

Locally configured bridge ID.

Inter instance ID

An internally generated instance identifier.

Maximum age

Maximum age of received bridge protocol data units (BPDUs).

Number of topology changes

Total number of STP topology changes detected since the switch last booted.

Interface Name

Interface configured to participate in the STP instance.

Port ID

Logical interface identifier configured to participate in the STP instance.

Designated Port ID

Port ID of the designated port for the LAN segment to which the interface is attached.

Port Cost

Configured cost for the interface.

State

STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.

Role

MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root.

Global GVRP Configuration

List of global GVRP configuration statistics such as:

• GVRP status—Displays whether GVRP is enabled or disabled.
• Join—The number of milliseconds the interfaces must wait before sending VLAN advertisements.
• Leave—The number of milliseconds an interface must wait after receiving a Leave message to remove the interface from the VLAN specified in the message.
• Leave All—The interval in milliseconds at which Leave All messages are sent on interfaces. Leave All messages maintain current GVRP VLAN membership information in the network.

Interfaces

List of interface-based configuration statistics:

• Interface Name—The interface on which GVRP is configured.
• Protocol Status—Displays whether GVRP is enabled or disabled.

Select Port

List of ports for selection.

Number of connected hosts

Total number of hosts connected to the port.

Number of authentication bypassed hosts

Total number of authentication-bypassed hosts with respect to the port.

MAC Address

MAC address of the connected host.

User Name

Name of the user.

Status

Information about the host connection status.

Authentication Due

Information about host authentication.

MAC Address

MAC address of the authentication-failed host.

User Name

Name of the authentication-failed user.

VLAN

The VLAN for which IGMP snooping is enabled.