Monitoring IPSec Tunnel Profiles

This section contains information about troubleshooting and monitoring dynamic IPSec subscribers.

System Event Logs

To troubleshoot and monitor dynamic IPSec subscribers, use the following system event log:

• ipsecIdDb—IPsec ID database
• ipsecXcfgSM—IPsec Xauth/ModeCfg state machine
• ipsecP1Throttler—Ongoing Phase 1 negotiations

For more information about using event logs, see the JUNOSe System Event Logging Reference Guide.

show Commands

To display user information for dynamic IPSec tunnel profiles or subscribers, use the following show commands.

show ipsec tunnel profile

• Use to display information about all existing IPSec tunnel profiles or a specified tunnel profile.
• Use the detail keyword to display detailed information about the tunnel profile.
• Example 1

  host1#show ipsec tunnel profile
  IPsec tunnel profile ipsec-spg is active with no subscriber
  1 IPsec tunnel profile found

• Example 2

  host1#show ipsec tunnel profile detail ipsec-spg
  IPsec tunnel profile ipsec-spg is active with no subscriber
    Extended-authentication: pap, no re-authentication
    Peer IP characteristics configuration: enabled
    Virtual router: default
    Local IP address: 10.227.5.31
    Local IKE identity: 10.227.5.31
    Peer  IKE identity: IP network: not allowed
                        username: *
                        domain-name: spg.juniper.net
                        DN: not allowed
    Maximum subscribers: no limit
    Domain suffix: @spg
    IP profile: ip-spg
    Local IPsec identity: subnet 0.0.0.0 0.0.0.0, proto 0, port 0
    Peer IPsec identity: invalid identity
    Lifetime: between 1800 and 7200 seconds, and between 100000 and 500000 KB
    Reachable networks: none
    PFS not configured
    Transforms:, tunnel-esp-3des-sha1
    Subscribers rejected due to maximum subscribers limit: 0
    Completed sessions: 43, totaling 4873 seconds, statistics:
    ipsec stats:
      outbound:
        outboundUserPacketsReceived = 88
        outboundUserOctetsReceived  = 74544
        outboundAccPacketsReceived = 88
        outboundAccOctetsReceived = 79168
        outboundOtherTxErrors = 0
        outboundPolicyErrors = 0
      inbound:
        inboundUserPacketsReceived = 88
        inboundUserOctetsReceived  = 74880
        inboundAccPacketsReceived  = 88
        inboundAccOctetsReceived   = 79488
        inboundAuthenticationErrors= 0
        inboundReplayErrors = 0
        inboundPolicyErrors = 0
        inboundOtherRxErrors = 0
        inboundDecryptErrors = 0
        inboundPadErrors = 0

• See show ipsec tunnel profile.

show subscribers

• Use to display the active subscribers on the router.
• Field descriptions
  • User Name—Name of the subscriber
  • Type—Type of subscriber: atm, ip, ipsec, ppp, tnl (tunnel), tst (test)
  • Addr | Endpt—IP or IPv6 address and source of the address: l2tp, local, dhcp, radius, user. For local, dhcp, radius, and user endpoints, the address is that of the user. When the endpoint is l2tp, the address is that of the LNS.
  • Virtual Router—Name of the virtual router context
  • Interface—Interface specifier over which the subscriber is connected
  • Login Time—Date, in YY/MM/DD format, and time the subscriber logged in
  • Circuit Id—User's circuit ID value specified by PPPoE
  • Remote Id—User's remote ID value specified by PPPoE
• Example

  host1#show subscribers
                               Subscriber List
                               ----------------
                                                             Virtual
        User Name           Type         Addr|Endpt           Router
  -----------------------   -----   --------------------   ------------
  xcfgUser1@vpn1            ipsec   10.227.5.106/local     vpn1   
        User Name                      Interface                          
  -----------------------   -------------------------------- 
  xcfgUser1@vpn1            FastEthernet 5/2.4                                      
        User Name               Login Time           Circuit Id      
  -----------------------   -------------------   ------------------- 
  xcfgUser1@vpn1            06/05/12 10:58:42     0.4.1.10.fe.25.3b.0 
       User Name               Remote Id      
  -----------------------   ----------------
  xcfgUser1@vpn1            (800) 555-1212

• See show subscribers.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.