Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Monitoring IPsec Tunnel Profiles

    This topic contains information about troubleshooting and monitoring dynamic IPsec subscribers.

    System Event Logs Used to Troubleshoot and Monitor Dynamic IPsec Subscribers

    To troubleshoot and monitor dynamic IPsec subscribers, use the following system event logs:

    • ipsecIdDb—IPsec ID database
    • ipsecXcfgSM—IPsec Xauth/ModeCfg state machine
    • ipsecP1Throttler—Ongoing Phase 1 negotiations

    For more information about using event logs, see the JunosE System Event Logging Reference Guide.

    Monitoring IPsec Tunnel Profiles


    Display information about all existing IPsec tunnel profiles or a specified tunnel profile.

    Use the detail keyword to display detailed information about the tunnel profile.


    To display information about all existing IPsec tunnel profiles:

    host1#show ipsec tunnel profile
    IPsec tunnel profile ipsec-spg is active with no subscriber
    1 IPsec tunnel profile found

    To display more detailed information about the specified IPsec tunnel profile:

    host1#show ipsec tunnel profile detail ipsec-spg
    IPsec tunnel profile ipsec-spg is active with no subscriber
      Extended-authentication: pap, no re-authentication
      Peer IP characteristics configuration: enabled
      Virtual router: default
      Local IP address:
      Local IKE identity:
      Peer  IKE identity: IP network: not allowed
                          username: *
                          DN: not allowed
      Maximum subscribers: no limit
      Domain suffix: @spg
      IP profile: ip-spg
      Local IPsec identity: subnet, proto 0, port 0
      Peer IPsec identity: invalid identity
      Lifetime: between 1800 and 7200 seconds, and between 100000 and 500000 KB
      Reachable networks: none
      PFS not configured
      Transforms:, tunnel-esp-3des-sha1
      Subscribers rejected due to maximum subscribers limit: 0
      Completed sessions: 43, totaling 4873 seconds, statistics:
      ipsec stats:
          outboundUserPacketsReceived = 88
          outboundUserOctetsReceived  = 74544
          outboundAccPacketsReceived = 88
          outboundAccOctetsReceived = 79168
          outboundOtherTxErrors = 0
          outboundPolicyErrors = 0
          inboundUserPacketsReceived = 88
          inboundUserOctetsReceived  = 74880
          inboundAccPacketsReceived  = 88
          inboundAccOctetsReceived   = 79488
          inboundAuthenticationErrors= 0
          inboundReplayErrors = 0
          inboundPolicyErrors = 0
          inboundOtherRxErrors = 0
          inboundDecryptErrors = 0
          inboundPadErrors = 0


    Table 1 lists the show ipsec tunnel profile command output fields.

    Table 1: show ipsec tunnel profile Output Fields

    Field Name

    Field Description


    Configured extended user authentication protocol

    Peer IP characteristics configuration

    Peer IP characteristics configuration status

    Virtual router

    Name of the virtual router context

    Local IP address

    Local IP address on the specified virtual router

    Local IKE identity

    Configured local IKE identity

    Peer IKE identity

    Configured peer IKE identity

    Maximum subscribers

    Maximum number of subscribers allowed on the profile

    Domain suffix

    Domain suffix appended to any usernames on the profile

    IP Profile

    IP profile that is passed from the IPsec layer to the IP layer

    Local IPsec identity

    Local identity used for IPsec security association negotiations

    Peer IPsec identity

    Peer identity used for IPsec security association negotiations


    Configured lifetime parameters

    Reachable networks

    Reachable networks on the VPN

    PFS not configured

    Perfect forward secrecy configuration status


    IPsec transforms that IPsec SA negotiations use

    Subscribers rejected due to maximum subscribers limit

    Subscribers rejected because of the configured limit of maximum number of subscribers on profile

    Completed sessions

    Number of successful subscriber sessions

    ipsec stats

    Inbound and Outbound IPsec statistics

    Monitoring Active Subscribers


    Display active subscribers on the router.


    To display information about all active subscribers on the router:

    host1#show subscribers
                                 Subscriber List
          User Name           Type         Addr|Endpt           Router
    -----------------------   -----   --------------------   ------------
    xcfgUser1@vpn1            ipsec     vpn1   
          User Name                      Interface                          
    -----------------------   -------------------------------- 
    xcfgUser1@vpn1            FastEthernet 5/2.4                                      
          User Name               Login Time           Circuit Id      
    -----------------------   -------------------   ------------------- 
    xcfgUser1@vpn1            06/05/12 10:58:42 
         User Name               Remote Id      
    -----------------------   ----------------
    xcfgUser1@vpn1            (800) 555-1212


    Table 2 lists the show subscribers command output fields.

    Table 2: show subscribers Output Fields

    Field Name

    Field Description

    User Name

    Name of the subscriber

    Note: The complete username with the domain name (if available) is displayed regardless of the status of the strip domain feature on a virtual router or AAA domain map.


    Type of subscriber: atm, ip, ipsec, ppp, tnl (tunnel), tst (test)

    Addr | Endpt

    IP or IPv6 address and source of the address: l2tp, local, dhcp, radius, user. For local, dhcp, radius, and user endpoints, the address is that of the user. When the endpoint is l2tp, the address is that of the LNS.

    Virtual Router

    Name of the virtual router context


    Interface specifier over which the subscriber is connected

    Login Time

    Date, in YY/MM/DD format, and time the subscriber logged in

    Circuit Id

    User's circuit ID value specified by PPPoE

    Remote Id

    User's remote ID value specified by PPPoE

    Published: 2014-08-12