Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

show security ipsec inactive-tunnels

Syntax

Description

Display security information about the inactive tunnel.

Options

  • none—Display information about all inactive tunnels.

  • brief | detail—(Optional) Display the specified level of output.

  • family—(Optional) Display the inactive tunnel by family. This option is used to filter the output.

    • inet—IPv4 address family.

    • inet6—IPv6 address family.

  • fpc slot-number—(Optional) Display information about inactive tunnels in the Flexible PIC Concentrator (FPC) slot.

  • index index-number—(Optional) Display detailed information about the specified inactive tunnel identified by this index number. For a list of all inactive tunnels with their index numbers, use the command with no options.

  • kmd-instance —(Optional) Display information about inactive tunnels in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number.

    • all—All KMD instances running on the Services Processing Unit (SPU).

    • kmd-instance-name—Name of the KMD instance running on the SPU.

  • node-local—(Optional) Display information about inactive tunnels for node-local tunnels in a Multinode High Availability setup.

  • pic slot-number—Display information about inactive tunnels in the PIC slot.

  • sa-type shortcut—(Optional) It's applicable for ADVPN. Display information about inactive tunnels by type shortcut.

  • vpn-name vpn-name—(Optional) Name of the VPN.

  • srg-idid-number—(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

The fpc slot-number, kmd-instance (all | kmd-instance-name), and pic slot-number parameters apply to SRX5600 and SRX5800 devices only.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ipsec inactive-tunnels command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec inactive-tunnels Output Fields

Field Name

Field Description

Total inactive tunnels

Total number of inactive IPsec tunnels.

Total inactive tunnels which establish immediately

Total number of inactive IPsec tunnels that can establish a session immediately.

ID

Identification number of the inactive tunnel. You can use this number to get more information about the inactive tunnel.

Gateway

IP address of the remote gateway.

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

Def-Del#

Number of deferred deletions of a dial-up IPsec VPN.

Virtual system

Virtual system to which the VPN belongs.

VPN name

Name of the IPsec VPN.

Local gateway

Gateway address of the local system.

Remote gateway

Gateway address of the remote system.
Traffic Selector Name

For IPsec running KMD process -

  • Displays the name only when traffic selector is configured.

  • Doesn’t display anything if traffic selector is not configured.

For IPsec running IKED-NG process, by default -

  • Displays the name when traffic selector is configured.

  • Displays the name as default_proxyid when proxy-identity is configured.

  • Displays the name as default_any_any when traffic selector is not configured.

See show security ipsec inactive-tunnels detail, for more details.

Local identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Displays proxy-identity when configured for IPsec running either KMD or IKED-NG process.

Displays 0.0.0.0 when proxy-identity is not configured.

See show security ipsec inactive-tunnels detail, for more details.

Remote identity

Identity of the destination peer gateway. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Displays proxy-identity when configured for IPsec running either KMD or IKED-NG process.

Displays 0.0.0.0 when proxy-identity is not configured.

See show security ipsec inactive-tunnels detail, for more details.

Version

Version of IKE.

Passive Mode Tunneling

IPsec tunneling of malformed packets; enabled if set or disabled if not set.

DF-bit

State of the don't fragment bit: set or clear.

Bind-interface

The tunnel interface to which the route-based VPN is bound.

Policy-name

Name of the applicable policy.

Tunnel Down Reason

Reason for which the tunnel is inactive.

Tunnel events

Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.

Sample Output

show security ipsec inactive-tunnels

show security ipsec inactive-tunnels detail

For IPsec running KMD process, when both proxy-identity and traffic-selector are not configured.

For IPsec running KMD process, when proxy-identity is configured.

For IPsec running KMD process, when traffic-selector is configured.

For IPsec running IKED-NG process, when traffic-selector is configured.

For IPsec running IKED-NG process, when traffic-selector is not configured.

For IPsec running IKED-NG process, when proxy-identity is configured.

show security ipsec inactive-tunnels index 131073

show security ipsec inactive-tunnels sa-type shortcut

show security ipsec inactive-tunnels with passive mode tunneling

show security ipsec inactive-tunnels node-local

Release Information

Command introduced in Junos OS Release 11.4R3.

Support for the passive-mode-tunneling option on MX-SPC3 is introduced in Junos OS Release 23.1R1.

Support for the node-local option is added in Junos OS Release 23.2R1.

Related Documentation