Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show security ipsec inactive-tunnels



Display security information about the inactive tunnel.


  • none—Display information about all inactive tunnels.

  • brief | detail—(Optional) Display the specified level of output.

  • family—(Optional) Display the inactive tunnel by family. This option is used to filter the output.

    • inet—IPv4 address family.

    • inet6—IPv6 address family.

  • fpc slot-number—(Optional) Display information about inactive tunnels in the Flexible PIC Concentrator (FPC) slot.

  • index index-number—(Optional) Display detailed information about the specified inactive tunnel identified by this index number. For a list of all inactive tunnels with their index numbers, use the command with no options.

  • kmd-instance —(Optional) Display information about inactive tunnels in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number.

    • all—All KMD instances running on the Services Processing Unit (SPU).

    • kmd-instance-name—Name of the KMD instance running on the SPU.

  • pic slot-number—Display information about inactive tunnels in the PIC slot.

  • sa-type—(Optional for ADVPN) Type of SA. shortcut is the only option for this release.

  • vpn-name vpn-name—(Optional) Name of the VPN.

  • srg-idid-number—(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

The fpc slot-number, kmd-instance (all | kmd-instance-name), and pic slot-number parameters apply to SRX5600 and SRX5800 devices only.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show security ipsec inactive-tunnels command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec inactive-tunnels Output Fields

Field Name

Field Description

Total inactive tunnels

Total number of inactive IPsec tunnels.

Total inactive tunnels which establish immediately

Total number of inactive IPsec tunnels that can establish a session immediately.


Identification number of the inactive tunnel. You can use this number to get more information about the inactive tunnel.


IP address of the remote gateway.


If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.


Number of deferred deletions of a dial-up IPsec VPN.

Virtual system

Virtual system to which the VPN belongs.

VPN name

Name of the IPsec VPN.

Local gateway

Gateway address of the local system.

Remote gateway

Gateway address of the remote system.

Local identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Remote identity

IP address of the destination peer gateway.


Version of IKE.


State of the don't fragment bit: set or clear.


The tunnel interface to which the route-based VPN is bound.


Name of the applicable policy.

Tunnel Down Reason

Reason for which the tunnel is inactive.

Tunnel events

Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.

Sample Output

show security ipsec inactive-tunnels

show security ipsec inactive-tunnels index 131073

show security ipsec inactive-tunnels sa-type shortcut

Release Information

Command introduced in Junos OS Release 11.4R3. Support.