display ipsec statistics [ policy-name policy-name [ seq-number ] | profile-name profile-name ] [ slot slot-id cpu cpu-id ]
display ipsec statistics [ all-systems ]
display ipsec statistics tunnel-number
| Parameter | Description | Value |
|---|---|---|
policy-name policy-name |
Displays IPSec packet statistics of the IPSec policy with a specified name. NOTE:
This parameter is available only in the root system. |
The value must be an existing IPSec policy name. |
seq-number |
Displays IPSec packet statistics of an IPSec policy with the specified sequence number. NOTE:
This parameter is available only in the root system. |
The value must be an existing IPSec policy sequence number. |
profile-name profile-name |
Displays IPSec packet statistics of an IPSec profile with the specified name. NOTE:
This parameter is available only in the root system. |
The value must be an existing IPSec profile name. |
slot slot-id cpu cpu-id |
Displays IPSec packet statistics on a specified CPU in a specified slot. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter. |
The values of slot-id and cpu-id are integers and must be set according to the device configuration. |
all-systems |
Displays IPSec packet statistics about all systems including the root system and virtual system. NOTE:
This parameter is available only in the root system. |
- |
tunnel-number |
Displays the number of IPSec tunnels. NOTE:
This parameter is available only in the root system. |
- |
Usage Scenario
You can run the display ipsec statistics command to view IPSec packet statistics, including statistics about incoming or outgoing packets that are protected, statistics about encrypted and decrypted packets, detailed statistics about discarded packets that are protected, and statistics about IKE negotiation related packets. The IPSec packet statistics facilitate IPSec fault diagnosis and maintenance.
Prerequisites
The traffic statistics collection function based on the IPSec policy has been enabled using the ipsec policy-statistics enable command.
Precautions
The display ipsec statistics command only displays the number of plaintext bytes.
# Display statistics about all IPSec packets.
<sysname> display ipsec statistics IPSec statistics information: Number of IPSec tunnels: 1 Number of standby IPSec tunnels: 0 the security packet statistics: input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 0, recv chip: 0, send err: 0 local cpu: 0, other cpu: 0, recv other cpu: 0 intact packet: 0, first slice: 0, after slice: 0 the decrypt packet statistics: send chip: 0, recv chip: 0, send err: 0 local cpu: 0, other cpu: 0, recv other cpu: 0 reass first slice: 0, after slice: 0 dropped security packet detail: can not find SA: 0, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0 flow err: 0, slice err: 0, byte limit: 0 slave drop: 0 negotiate about packet statistics: IKE fwd packet ok: 0, err: 0 IKE ctrl packet inbound ok: 0, outbound ok: 0 SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 0, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0
<sysname> display ipsec statistics tunnel-number Slot 3, cpu 3 tunnels: 0 IPSec tunnel totals: 0 IPSec tunnel licence specifications: 960100
Item
|
Description |
|---|---|
IPSec statistics information |
Statistics about IPSec packets. |
Number of IPSec tunnels |
Number of the IPSec tunnels. |
Number of standby IPSec tunnels |
Number of the standby IPSec tunnels during SPU backup. |
the security packet statistics |
Statistics about packets that are protected. |
input/output security packets |
Number of incoming or outgoing packets that are protected. |
input/output security bytes |
Number of incoming or outgoing bytes that are protected. |
input/output dropped security packets |
Number of discarded incoming or outgoing packets that are protected. |
the encrypt packet statistics |
Statistics about encrypted packets. |
send chip |
Number of packets sent to the hardware for encryption and decryption. |
recv chip |
Number of packets encrypted and decrypted by hardware. |
send err |
Number of packets that fail to be sent to hardware for encryption and decryption. |
local cpu |
Number of packets encrypted and decrypted by the local CPU. |
other cpu |
Number of packets forwarded to another CPU for encryption and decryption. |
recv other cpu |
Number of packets received from another CPU for encryption and decryption. |
intact packet |
Number of non-fragmented encrypted packets. |
first slice |
Number of initial fragmented packets. |
after slice |
Number of non-initial fragmented packets. |
the decrypt packet statistics |
Statistics about decrypted packets. |
reass first slice |
Number of initial packets that are reassembled. |
after slice |
Number of non-initial packets that are reassembled. |
dropped security packet detail |
Detailed statistics about discarded packets that are protected. |
can not find SA |
Number of packets for which SAs are not found. |
wrong SA |
Number of packets with invalid SAs. |
authentication |
Number of packets that fail to be authenticated. |
replay |
Number of discarded packets due to replay check. |
front recheck |
Number of discarded packets due to IPSec pre-check. |
after recheck |
Number of discarded packets due to IPSec post-check. |
change cpu enc |
Number of encrypted packets that fail to be forwarded. |
dec change cpu |
Number of decrypted packets that fail to be forwarded. |
fib search |
Number of encrypted packets that are discarded due to route searching failure. |
output l3 |
Number of encrypted packets that fail to be sent. |
flow err |
Number of packets discarded because negotiation is triggered. |
slice err |
Number of IPSec packets that fail to be fragmented. |
byte limit |
Number of discarded packets due to traffic limit. |
slave drop |
Number of IPSec packets discarded by the standby device. |
negotiate about packet statistics |
Statistics about IKE negotiation packets. |
IKE fwd packet ok |
Number of IKE packets sent to the IKE process. |
err |
Number of IKE packets that fail to be sent to the IKE process. |
IKE ctrl packet inbound ok |
Number of IKE packets received by the control plane. |
outbound ok |
Number of IKE packets sent by the control plane. |
SoftExpr |
Number of traffic soft timeouts. |
HardExpr |
Number of traffic hard timeouts. |
DPDOper |
Number of times DPD is performed in on-demand DPD mode. |
trigger ok |
Number of times that negotiation is triggered. |
switch sa |
Number of times the local device receives data encrypted with the new SA and instructs the IKE process to replace the SA. |
sync sa |
Number of times the active device notifies the IKE process that the SA 3-tuple (remote address, SPI, protocol ID) does not exist on the standby device. |
recv IKE nat keepalive |
Number of received IKE nat keepalive packets. |
IKE input |
Number of received IKE packets. |
Slot slot-id, cpu cpu-id tunnels |
Number of IPSec tunnels on a specified CPU in a specified slot. |
IPSec tunnel totals |
Number of IPSec tunnels. |
IPSec tunnel licence specifications |
Specifications of IPSec tunnels limited by the license. |