Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security ike stats

Syntax

Description

Display information about global IKE (Internet Key Exchange) statistics for the tunnels such as in-progress, established, and expired negotiations using IKEv2 on your SRX5000 line with SPC3 card.

Options

  • Default: brief

    Displays tunnel count statistics and non-zero counters of the global IKE statistics.

detail

Displays all the global IKE and tunnel count statistics.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields of total IKE SA and tunnel count statistics. Table 2 lists the output fields of IKE_SA_INIT, IKE_AUTH, IKE SA Rekey CREATE_CHILD_SA, IPsec SA Rekey CREATE_CHILD_SA exchanges statistics. Table 3 lists total IKE message failure statistics for the show security ike stats command. Output fields are listed in the approximate order in which they appear.

Table 1: total-IKE-SA-and-tunnel-count-statistics Output Fields

Field Name

Field Description

Number of IKE SAs

Number of IKE SAs currently active.

Number of IPsec Tunnels

Number of IPsec tunnels currently active.

Number of DPD failovers

Shows number of times there is a DPD failover.

Table 2: IKEV2_negotiaton_exchange_statistics

Field Name

Field Description for Output Fields of Initiator Statistics

Field Description for Output Fields of Responder Statistics

IKE_SA_INIT exchange stats

  • Request Out —Number of IKE_SA_INIT request message sent by initiator.

  • Response In—Number of IKE_SA_INIT response message received by initiator.

  • Invalid KE Payload In—Number of IKE_SA_INIT INVALID_KE_PAYLOAD notification message received by initiator.

  • No Proposal Chosen In—Number of IKE_SA_INIT NO_PROPSAL_CHOSEN notification message received by initiator.

  • Cookie Request In—Number of IKE_SA_INIT cookie request notification message received by initiator.

  • Cookie Response Out—Number of IKE_SA_INIT cookie response notification message sent by responder.

  • Res Invalid IKE SPI—Number of IKE_SA_INIT response message containing invalid SPI received by initiator.

  • Res Verify SA Fail—Number of IKE_SA_INIT response message processing failed during verification of peer SA at initiator.

  • Res IKE SA Fill Fail—Number of IKE_SA_INIT response message processing failed during verification of IKE SA fill operation at initiator.

  • Res Verify DH Group Fail—Number of IKE_SA_INIT response message processing failed during verification of Diffie-Hellman group at initiator.

  • Res DH Compute Key Fail—Number of IKE_SA_INIT response message processing failed during verification of Diffie-Hellman compute key at initiator.

  • Request In—Number of IKE_SA_INIT request message received by responder.

  • Response Out—Number of IKE_SA_INIT response message sent by responder.

  • Invalid KE Payload Out—Number of IKE_SA_INIT INVALID_KE_PAYLOAD notification message sent by responder.

  • No Proposal Chosen Out—Number of IKE_SA_INIT NO_PROPSAL_CHOSEN notification message sent by responder.

  • Cookie Request Out—Number of IKE_SA_INIT cookie request notification message sent by responder.

  • Cookie Response In—Number of IKE_SA_INIT cookie response notification message received by responder.

  • Res DH Gen Key Fail—Number of IKE_SA_INIT response message processing failed during Diffie-Hellman generate key at responder.

  • Res Invalid DH Group Conf—Number of IKE_SA_INIT response message processing failed due to invalid Diffie-Hellman group configured at responder.

  • Res Get CAs Fail—Number of IKE_SA_INIT response message processing failed during get CAs operation at responder.

  • Res Get VID Fail—Number of IKE_SA_INIT response message processing failed during get vendor ID request operation at responder.

  • Res DH Compute Key Fail—Number of IKE_SA_INIT response message processing failed during Diffie-Hellman compute key at responder.

IKE_AUTH exchange stats

  • Request Out—Number of IKE_AUTH request message sent by initiator.

  • Response In—Number of IKE_AUTH response message received by initiator.

  • No Proposal Chosen In—Number of IKE_AUTH NO_PROPSAL_CHOSEN notification message received by initiator.

  • TS Unacceptable In—Number of IKE_AUTH TS_UNACCEPTABLE notification message received by initiator.

  • Authentication Failed In—Number of IKE_AUTH AUTHENTICATION_FAILED notification message received by initiator.

  • Request In—Number of IKE_AUTH request message received by responder.

  • Response Out—Number of IKE_AUTH response message sent by responder.

  • No Proposal Chosen Out—Number of IKE_AUTH NO_PROPSAL_CHOSEN notification message sent by responder.

  • TS Unacceptable out—Number of IKE_AUTH TS_UNACCEPTABLE notification message sent by responder.

  • Authentication Failed Out—Number of IKE_AUTH AUTHENTICATION_FAILED notification message sent by responder.

IKE SA Rekey CREATE_CHILD_SA exchange stats

  • Request Out—Number of IKE SA rekey CREATE_CHILD_SA request message sent by initiator.

  • Response In—Number of IKE SA rekey CREATE_CHILD_SA response message received by initiator.

  • No Proposal Chosen In—Number of IKE SA rekey CREATE_CHILD_SA NO_PROPSAL_CHOSEN notification message received by initiator.

  • Invalid KE In—Number of IKE SA rekey CREATE_CHILD_SA INVALID_KE_PAYLOAD notification message received by initiator.

  • Res DH Compute Key Fail—Number of IKE SA rekey CREATE_CHILD_SA response message processing failed during verification of Diffie-Hellman compute key at initiator.

  • Res Verify SA Fail—Number of IKE SA rekey CREATE_CHILD_SA response message processing failed during verification of peer SA failed at initiator.

  • Res Fill IKE SA Fail—Number of IKE SA rekey CREATE_CHILD_SA response message processing failed during IKE SA fill operation at initiator.

  • Res Verify DH Group Fail—Number of IKE SA rekey CREATE_CHILD_SA response message processing failed during verification of Diffie-Hellman group at initiator.

  • Request In—Number of IKE SA rekey CREATE_CHILD_SA request message received by responder.

  • Response Out—Number of IKE SA rekey CREATE_CHILD_SA response message sent by responder.

  • No Proposal Chosen Out—Number of IKE SA rekey CREATE_CHILD_SA NO_PROPSAL_CHOSEN notification message sent by responder.

  • Invalid KE Out—Number of IKE SA rekey CREATE_CHILD_SA INVALID_KE_PAYLOAD notification message sent by responder.

  • Res DH Compute Key Fail—Number of IKE SA rekey CREATE_CHILD_SA response message processing failed during Diffie-Hellman compute key at responder.

IPsec SA Rekey CREATE_CHILD_SA exchange stats

  • Request Out—Number of IPsec SA rekey CREATE_CHILD_SA request message sent by initiator.

  • Response In—Number of IPsec SA rekey CREATE_CHILD_SA response message received by initiator.

  • No Proposal Chosen In—Number of IPsec SA rekey CREATE_CHILD_SA NO_PROPSAL_CHOSEN notification message received by initiator.

  • Invalid KE In—Number of IPsec SA rekey CREATE_CHILD_SA INVALID_KE_PAYLOAD notification message received by initiator.

  • TS Unacceptable In—Number of IPsec SA rekey CREATE_CHILD_SA TS_UNACCEPTABLE notification message received by initiator.

  • Res DH Compute Key Fail—Number of IPsec SA rekey CREATE_CHILD_SA response message processing failed during verification of Diffie-Hellman compute key at initiator.

  • Res Verify SA Fail—Number of IPsec SA rekey CREATE_CHILD_SA response message processing failed during verification of peer SA at initiator.

  • Res Verify DH Group Fail—Number of IPsec SA rekey CREATE_CHILD_SA response message processing failed during verification of Diffie-Hellman group at initiator.

  • Res Verify TS Fail—Number of IPsec SA rekey CREATE_CHILD_SA response message processing failed during verification of TS at initiator.

  • Request In—Number of IPsec SA rekey CREATE_CHILD_SA request message received by responder.

  • Response Out—Number of IPsec SA rekey CREATE_CHILD_SA response message sent by responder.

  • No Proposal Chosen Out—Number of IPsec SA rekey CREATE_CHILD_SA NO_PROPSAL_CHOSEN notification message sent by responder.

  • Invalid KE Out—Number of IPsec SA rekey CREATE_CHILD_SA INVALID_KE_PAYLOAD notification message sent by responder.

  • TS Unacceptable Out—Number of IPsec SA rekey CREATE_CHILD_SA TS_UNACCEPTABLE notification message sent by responder.

  • Res DH Compute Key Fail—Number of IPsec SA rekey CREATE_CHILD_SA response message processing failed during Diffie-Hellman compute key at responder.

Table 3: IKEv2_negotiation_message_failure_statistics

Field Name

Field Description

Discarded

The total number of discarded messages.

Integrity fail

The total number of messages with integrity check failure.

Invalid exchange type

The total number of messages with invalid exchange type failure.

Disorder

The total number of messages failure due to disorder.

ID error

The total number of messages with ID error.

Invalid SPI

The total number of messages with invalid SPI failure.

Invalid length

The total number of messages with invalid length failure.

Sample Output

show security ike stats brief

Sample Output

show security ike stats detail

Sample Output

show security ike stats brief

The command displays IKE statistics for the VPN tunnel. Notice that the output displays the number of times there is a DPD failover. The output field Number of DPD failovers is displayed only if there is a failover.

show security ike stats

The command displays IKE statistics for the VPN tunnel. Starting Junos OS 23.4R1, you can see the count of half open IKE SAs listed in the output field DOWN.

Release Information

Command introduced in Junos OS Release 19.4R1.

CLI options brief and detail are introduced in Junos OS Release 20.1R1.

The output field Number of DPD failovers is introduced in Junos OS Release 23.4R1.