show security ipsec inactive-tunnels
Syntax
show security ipsec inactive-tunnels
brief | detail
family (inet | inet6)
fpc slot-number
index index-number
kmd-instance (all | kmd-instance-name)
pic slot-number
srg-id id-number
sa-type shortcut
vpn-name vpn-name
Description
Display security information about the inactive tunnel.
Options
none—Display information about all inactive tunnels.
brief
|detail
—(Optional) Display the specified level of output.family
—(Optional) Display the inactive tunnel by family. This option is used to filter the output.inet
—IPv4 address family.inet6
—IPv6 address family.
fpc slot-number
—(Optional) Display information about inactive tunnels in the Flexible PIC Concentrator (FPC) slot.index index-number
—(Optional) Display detailed information about the specified inactive tunnel identified by this index number. For a list of all inactive tunnels with their index numbers, use the command with no options.kmd-instance
—(Optional) Display information about inactive tunnels in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number.all
—All KMD instances running on the Services Processing Unit (SPU).kmd-instance-name
—Name of the KMD instance running on the SPU.
pic slot-number
—Display information about inactive tunnels in the PIC slot.sa-type
—(Optional for ADVPN) Type of SA.shortcut
is the only option for this release.vpn-name vpn-name
—(Optional) Name of the VPN.-
srg-idid-number
—(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.
The fpc slot-number
, kmd-instance
(all | kmd-instance-name)
, and pic slot-number
parameters apply to SRX5600
and SRX5800 devices only.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the
show security ipsec inactive-tunnels
command. Output fields are listed in
the approximate order in which they appear.
Field Name |
Field Description |
---|---|
|
Total number of inactive IPsec tunnels. |
|
Total number of inactive IPsec tunnels that can establish a session immediately. |
|
Identification number of the inactive tunnel. You can use this number to get more information about the inactive tunnel. |
|
IP address of the remote gateway. |
|
If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. |
|
Number of deferred deletions of a dial-up IPsec VPN. |
|
Virtual system to which the VPN belongs. |
|
Name of the IPsec VPN. |
|
Gateway address of the local system. |
|
Gateway address of the remote system. |
|
Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). |
|
IP address of the destination peer gateway. |
|
Version of IKE. |
|
IPsec tunneling of malformed packets; enabled if set or disabled if not set. |
|
State of the don't fragment bit: |
|
The tunnel interface to which the route-based VPN is bound. |
|
Name of the applicable policy. |
|
Reason for which the tunnel is inactive. |
|
Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take. |
Sample Output
- show security ipsec inactive-tunnels
- show security ipsec inactive-tunnels index 131073
- show security ipsec inactive-tunnels sa-type shortcut
- show security ipsec inactive-tunnels with passive mode tunneling
show security ipsec inactive-tunnels
user@host> show security ipsec inactive-tunnels Total inactive tunnels: 1 Total inactive tunnels with establish immediately: 0 ID Gateway Port Tunnel down reason 131073 192.168.1.2 500 Phase1 proposal mismatch detected
show security ipsec inactive-tunnels index 131073
user@host> show security ipsec inactive-tunnels index 131073 ID: 131073 Virtual-system: root, VPN Name: vpn1 Local Gateway: 192.168.1.100, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 600a29 Tunnel events: Wed Jul 16 2014 06:18:02 +0800: User cleared IPSec SA from CLI (1 times) Wed Jul 16 2014 06:17:58 +0800: IPSec SA negotiation successfully completed (1 times) Wed Jul 16 2014 06:17:54 +0800: User cleared IPSec SA from CLI (1 times) Wed Jul 16 2014 06:16:58 +0800: IPSec SA negotiation successfully completed (1 times) Wed Jul 16 2014 06:16:58 +0800: Bind interface's address received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Wed Jul 16 2014 06:16:58 +0800: External interface's address received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: Bind interface's zone received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: IKE SA negotiation successfully completed (1 times)
show security ipsec inactive-tunnels sa-type shortcut
user@host> show security ipsec inactive-tunnels sa-type shortcut Total inactive tunnels: 1 Total inactive tunnels with establish immediately: 0 ID Port Nego# Fail# Flag Gateway Tunnel Down Reason 268173322 500 0 0 40608aa9 192.168.0.105 Cleared via CLI
show security ipsec inactive-tunnels with passive mode tunneling
user@host>show security ipsec inactive-tunnels ID: 6 Virtual-system: root, VPN Name: vpn2 Local Gateway: 10.0.0.2, Remote Gateway: 30.0.0.2 Traffic Selector Name: ts2 Local Identity: ipv4(50.0.1.0-50.0.1.255) Remote Identity: ipv4(140.0.1.0-140.0.1.255) Version: IKEv2 Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: ipsec_policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Release Information
Command introduced in Junos OS Release 11.4R3. Support.
Support for passive-mode-tunneling
on MX-SPC3 is introduced in Junos OS
Release 23.1R1.