Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show services ipsec-vpn ike statistics

    Syntax

    show services ipsec-vpn ike statistics
    <peer-address>
    routing-instance

    Release Information

    Command introduced in Junos OS Release 12.3

    Description

    Display IKE statistics for the specified security association (IKE peer) and local gateway routing instance.

    Options

    <peer-address>Name of security association.
    routing-instanceName of the local-gateway routing-instance.

    Required Privilege Level

    view

    List of Sample Output

    show services ipsec-vpn ike statistics
    show services ipsec-vpn ike statistics (on ACX500 Routers)

    Output Fields

    The table below lists the output fields for the show services ipsec-vpn ike statistics command. Output fields are listed in the approximate order in which they appear.

    Field Name

    Field Description

    Level of Output

    IKE peer

    Remote end of the IKE negotiation.

    detail

    Initiator cookie

    When the IKE negotiation is triggered, a random number is sent to the remote node.

    All levels

    Responder cookie

    The remote node generates its own random number and sends it back to the initiator as a verification that the packets were received.

    Of the numerous security services available, protection against denial of service (DoS) is one of the most difficult to address. A “cookie” or anti-clogging token (ACT) is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. An exchange prior to CPU-intensive public key operations can thwart some DoS attempts (such as simple flooding with invalid IP source addresses).

    All levels

    Local

    Prefix and port number of the local end.

    detail

    Remote

    Prefix and port number of the remote end.

    detail

    IPsec security associations

    Number of IPsec SAs created and deleted with this IKE security association.

    detail

    IPsec tunnel rekeys

    When an IPsec SA is about to expire, a new IPsec SA needs to be negotiated. Every time this happens for this IKE SA this counter is incriminated.

    The “IPsec tunnel rekeys” value is the total number of times re-keying occurred for an existing IPsec SAs.

    detail

    Traffic statistics

    Number of bytes and packets received and transmitted on the IKE SA (security association).

    • Input bytes, Output bytes—Number of bytes received and transmitted.
    • Input packets, Output packets—Number of packets received and transmitted.

    detail

    Delete IPsec SA payload statistics

    When an IPsec is no longer needed, the system will initiate a IKE SA deletion process.

    • Delete IPsec SA payloads received—Number of times this peer has received delete requests.
    • Delete IPsec SA payloads sent—Number of times this peer has sent delete requests to the other peer.

    detail

    DPD statistics

    Dead peer detection (DPD) occurs when one device send encrypted IKE Phase 1 notification payloads (R-U-THERE messages) to a peer and waiting for DPD acknowledgements (R-U-THERE-ACK messages) from the peer. The device sends the message only if it has not received any traffic from the peer during a specified DPD interval. If the device receives a response from the peer during this interval, it considers the peer alive. If not, the peer is considered dead and the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. Note that DPD counters are for IKEv1 only.

    • R-U-THERE notifications received—Number of notifications received from the peer.
    • R-U-THERE notifications sent—Number of notifications sent to the peer.
    • R-U-THERE ACK notifications received—Number of receipt acknowledgements received from the peer.
    • R-U-THERE ACK notifications sent—Number of receipt acknowledgements sent to the peer.
    • R-U-THERE ACK notifications missed—Number of receipt acknowledgements for which no response was received.
    • Worst case R-U-THERE ACK delay—Single longest delay time recorded during the period monitored.

    detail

    Invalid SPI notification statistics

    Typically both peers will have valid IPsec SAs installed. But if one does not, for example because the device has been rebooted, IPsec traffic sent to it will be lost (because no IPsec SAs are installed). To recover quickly, the peer with no IPsec installed can send an ”Invalid SPI” notification to remote peer, which will then remove its Security Parameter Index (SPI) from the database.

    • Notifications received—Number received from the remote peer.
    • Notifications sent—Number sent to the remote peer.

    detail

    Sample Output

    show services ipsec-vpn ike statistics

    user@host> show services ipsec-vpn ike statistics
    IKE peer 11.1.0.1
       Initiator cookie: 4dd6341cd99ebcce, Responder cookie: 6765a04646f88e6f
      Local: 11.1.0.2, Remote: 11.1.0.1
      IPSec security associations: 4 created, 0 deleted
      IPSec tunnel rekeys:                                      1
      Traffic statistics:
       Input  bytes  :                                        704
       Output bytes  :                                       1232
       Input  packets:                                          5
       Output packets:                                          9
      Delete IPsec SA payload statistics :
       Delete IPsec SA payloads received:                       0
       Delete IPsec SA payloads sent:                           0
      DPD statistics:
       R-U-THERE notifications received:                        0
       R-U-THERE notifications sent:                            0
       R-U-THERE-ACK notifications received:                    0
       R-U-THERE-ACK notifications sent:                        0
       R-U-THERE-ACK notifications missed:                      0
       Worst case R-U-THERE-ACK delay:                          0 msec
      Invalid SPI notification statistics:
       Notifications received:                                  0
       Notifications sent:                                      0
     
    

    show services ipsec-vpn ike statistics (on ACX500 Routers)

    user@host> show services ipsec-vpn ike statistics
    IKE peer 192.168.10.130
      Initiator cookie: 90864887dfecb178, Responder cookie: 9a2ee2ab786f960d
      Local: 192.168.1.11, Remote: 192.168.10.130
      IPSec security associations: 16 created, 16 deleted
      IPSec tunnel rekeys: 8
      Traffic statistics:
       Input  bytes  :                                       3400
       Output bytes  :                                       3332
       Input  packets:                                         19
       Output packets:                                         19
      Delete IPsec SA payload statistics:
       Delete IPsec SA payloads received:                       8
       Delete IPsec SA payloads sent    :                       0
      DPD statistics:
       R-U-THERE notifications received    :                    0
       R-U-THERE notifications sent        :                    0
       R-U-THERE-ACK notifications received:                    0
       R-U-THERE-ACK notifications sent    :                    0
       R-U-THERE-ACK notifications missed  :                    0
       Worst case R-U-THERE-ACK delay      :                    0 msec
      Invalid SPI notification statistics:
       Notifications received:                                  0
       Notifications sent    :                                  0
    IKE peer 192.168.20.130
      Initiator cookie: 1dd17732a8c9b13a, Responder cookie: b06e5072ac7362bf
      Local: 192.168.1.12, Remote: 192.168.20.130
      IPSec security associations: 14 created, 14 deleted
      IPSec tunnel rekeys: 7
      Traffic statistics:
       Input  bytes  :                                       3024
       Output bytes  :                                       2972
       Input  packets:                                         17
       Output packets:                                         17
      Delete IPsec SA payload statistics:
       Delete IPsec SA payloads received:                       7
       Delete IPsec SA payloads sent    :                       0
      DPD statistics:
       R-U-THERE notifications received    :                    0
       R-U-THERE notifications sent        :                    0
       R-U-THERE-ACK notifications received:                    0
       R-U-THERE-ACK notifications sent    :                    0
       R-U-THERE-ACK notifications missed  :                    0
       Worst case R-U-THERE-ACK delay      :                    0 msec
      Invalid SPI notification statistics:
       Notifications received:                                  0
       Notifications sent    :                                  0 
    

    Modified: 2017-10-11