show security ipsec inactive-tunnels
Syntax
show security ipsec inactive-tunnels
brief | detail
family (inet | inet6)
fpc slot-number
index index-number
kmd-instance (all | kmd-instance-name)
pic slot-number
srg-id id-number
sa-type shortcut
vpn-name vpn-name
Description
Display security information about the inactive tunnel.
Options
none—Display information about all inactive tunnels.
brief
|detail
—(Optional) Display the specified level of output.family
—(Optional) Display the inactive tunnel by family. This option is used to filter the output.inet
—IPv4 address family.inet6
—IPv6 address family.
fpc slot-number
—(Optional) Display information about inactive tunnels in the Flexible PIC Concentrator (FPC) slot.index index-number
—(Optional) Display detailed information about the specified inactive tunnel identified by this index number. For a list of all inactive tunnels with their index numbers, use the command with no options.kmd-instance
—(Optional) Display information about inactive tunnels in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number.all
—All KMD instances running on the Services Processing Unit (SPU).kmd-instance-name
—Name of the KMD instance running on the SPU.
pic slot-number
—Display information about inactive tunnels in the PIC slot.sa-type
—(Optional for ADVPN) Type of SA.shortcut
is the only option for this release.vpn-name vpn-name
—(Optional) Name of the VPN.-
srg-idid-number
—(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.
The fpc slot-number
, kmd-instance
(all | kmd-instance-name)
, and pic slot-number
parameters apply to SRX5600
and SRX5800 devices only.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show security ipsec
inactive-tunnels
command. Output fields are listed in the approximate
order in which they appear.
Field Name |
Field Description |
---|---|
|
Total number of inactive IPsec tunnels. |
|
Total number of inactive IPsec tunnels that can establish a session immediately. |
|
Identification number of the inactive tunnel. You can use this number to get more information about the inactive tunnel. |
|
IP address of the remote gateway. |
|
If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. |
|
Number of deferred deletions of a dial-up IPsec VPN. |
|
Virtual system to which the VPN belongs. |
|
Name of the IPsec VPN. |
|
Gateway address of the local system. |
|
Gateway address of the remote system. |
|
Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). |
|
IP address of the destination peer gateway. |
|
Version of IKE. |
|
State of the don't fragment bit: |
|
The tunnel interface to which the route-based VPN is bound. |
|
Name of the applicable policy. |
|
Reason for which the tunnel is inactive. |
|
Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take. |
Sample Output
- show security ipsec inactive-tunnels
- show security ipsec inactive-tunnels index 131073
- show security ipsec inactive-tunnels sa-type shortcut
show security ipsec inactive-tunnels
user@host> show security ipsec inactive-tunnels Total inactive tunnels: 1 Total inactive tunnels with establish immediately: 0 ID Gateway Port Tunnel down reason 131073 192.168.1.2 500 Phase1 proposal mismatch detected
show security ipsec inactive-tunnels index 131073
user@host> show security ipsec inactive-tunnels index 131073 ID: 131073 Virtual-system: root, VPN Name: vpn1 Local Gateway: 192.168.1.100, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 600a29 Tunnel events: Wed Jul 16 2014 06:18:02 +0800: User cleared IPSec SA from CLI (1 times) Wed Jul 16 2014 06:17:58 +0800: IPSec SA negotiation successfully completed (1 times) Wed Jul 16 2014 06:17:54 +0800: User cleared IPSec SA from CLI (1 times) Wed Jul 16 2014 06:16:58 +0800: IPSec SA negotiation successfully completed (1 times) Wed Jul 16 2014 06:16:58 +0800: Bind interface's address received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Wed Jul 16 2014 06:16:58 +0800: External interface's address received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: Bind interface's zone received. Information updated (1 times) Wed Jul 16 2014 06:16:58 +0800: IKE SA negotiation successfully completed (1 times)
show security ipsec inactive-tunnels sa-type shortcut
user@host> show security ipsec inactive-tunnels sa-type shortcut Total inactive tunnels: 1 Total inactive tunnels with establish immediately: 0 ID Port Nego# Fail# Flag Gateway Tunnel Down Reason 268173322 500 0 0 40608aa9 192.168.0.105 Cleared via CLI
Release Information
Command introduced in Junos OS Release 11.4R3. Support.