Monitoring IPSec Tunnel Profiles
This section contains information about troubleshooting and monitoring dynamic IPSec subscribers.
System Event Logs
To troubleshoot and monitor dynamic IPSec subscribers, use the following system event log:
- ipsecIdDb—IPsec ID database
- ipsecXcfgSM—IPsec Xauth/ModeCfg state machine
- ipsecP1Throttler—Ongoing Phase 1 negotiations
For more information about using event logs, see the JUNOSe System Event Logging Reference Guide.
show Commands
To display user information for dynamic IPSec tunnel profiles or subscribers, use the following show commands.
show ipsec tunnel profile
- Use to display information about all existing IPSec tunnel profiles or a specified tunnel profile.
- Use the detail keyword to display detailed information about the tunnel profile.
- Example 1
host1#show ipsec tunnel profileIPsec tunnel profile ipsec-spg is active with no subscriber1 IPsec tunnel profile foundExample 2 host1#show ipsec tunnel profile detail ipsec-spgIPsec tunnel profile ipsec-spg is active with no subscriberExtended-authentication: pap, no re-authenticationPeer IP characteristics configuration: enabledVirtual router: defaultLocal IP address: 10.227.5.31Local IKE identity: 10.227.5.31Peer IKE identity: IP network: not allowedusername: *domain-name: spg.juniper.netDN: not allowedMaximum subscribers: no limitDomain suffix: @spgIP profile: ip-spgLocal IPsec identity: subnet 0.0.0.0 0.0.0.0, proto 0, port 0Peer IPsec identity: invalid identityLifetime: between 1800 and 7200 seconds, and between 100000 and 500000 KBReachable networks: nonePFS not configuredTransforms:, tunnel-esp-3des-sha1Subscribers rejected due to maximum subscribers limit: 0Completed sessions: 43, totaling 4873 seconds, statistics:ipsec stats:outbound:outboundUserPacketsReceived = 88outboundUserOctetsReceived = 74544outboundAccPacketsReceived = 88outboundAccOctetsReceived = 79168outboundOtherTxErrors = 0outboundPolicyErrors = 0inbound:inboundUserPacketsReceived = 88inboundUserOctetsReceived = 74880inboundAccPacketsReceived = 88inboundAccOctetsReceived = 79488inboundAuthenticationErrors= 0inboundReplayErrors = 0inboundPolicyErrors = 0inboundOtherRxErrors = 0inboundDecryptErrors = 0inboundPadErrors = 0show subscribers
- User Name—Name of the subscriber
- Type—Type of subscriber: atm, ip, ipsec, ppp, tnl (tunnel), tst (test)
- Addr | Endpt—IP or IPv6 address and source of the address: l2tp, local, dhcp, radius, user. For local, dhcp, radius, and user endpoints, the address is that of the user. When the endpoint is l2tp, the address is that of the LNS.
- Virtual Router—Name of the virtual router context
- Interface—Interface specifier over which the subscriber is connected
- Login Time—Date, in YY/MM/DD format, and time the subscriber logged in
- Circuit Id—User's circuit ID value specified by PPPoE
- Remote Id—User's remote ID value specified by PPPoE
host1#show subscribersSubscriber List----------------VirtualUser Name Type Addr|Endpt Router----------------------- ----- -------------------- ------------xcfgUser1@vpn1 ipsec 10.227.5.106/local vpn1User Name Interface----------------------- --------------------------------xcfgUser1@vpn1 FastEthernet 5/2.4User Name Login Time Circuit Id----------------------- ------------------- -------------------xcfgUser1@vpn1 06/05/12 10:58:42 0.4.1.10.fe.25.3b.0User Name Remote Id----------------------- ----------------xcfgUser1@vpn1 (800) 555-1212