IP security configuration such as security policy database and IKE SA information.

Command Syntax

>  show status addressContext <addressContext_name> ipsec 
	ikeSaStatistics
	ikeSaStatus
	ipsecSaStatistics
	ipsecSaStatus
	systemStatistics

Command Parameters

IPsec Parameters

Parameter

Description

ipsecIP security configuration such as security policy database and IKE SA information.

ikeSaStatistics <sai>

This object displays IKE SA statistics. The fields displayed include:

  • <sa index> – The unique SAI (Security Association Index).
  • ikeVersion – The IKE version of this IPsec configuration.
  • ipsecSaNegotiationsFailed Number of IPsec SAs negotiations failed on this IKE SA 
  • ipsecSaNegotiationsSucceeded Number of IPsec SAs negotiated using this IKE SA 
  • localIpAddr – Displays local IP address
  • peerIpAddr – Displays peer IP address

ikeSaStatus <sai>

This object displays IKE SA status details. The fields displayed include:

  • <sa index>The unique SAI (Security Association Index).
  • dhGroup – DH group supported in the IKE exchange
  • encType – Encryption cipher type for this SA 
  • ikeVersion – The IKE version of this IPsec configuration.
  • integrityType – Integrity cipher type for this SA 
  • localId – Local identity type (fqdn/ipV4Addr/ipV6Addr)
  • localIpAddr – Displays local IP address
  • peerId – Remote identity type (fqdn/ipV4Addr/ipV6Addr)
  • peerIpAddr – Displays remote IP address
  • secondsRemaining – Number of seconds remaining for this SA

ipsecSaStatistics <spi>

This object displays IPsec SA statistics details. The fields displayed include:

  • inBytesCount – Number of ESP bytes received.
  • inPacketDiscardAntiReplay – Number of packets discarded due to anti-replay.
  • inPacketDiscardFailedIntegrity – Number of packets discarded due to integrity check failure.
  • inPacketsCount – Number of ESP packets received.
  • localIpAddr – Local IP address.
  • outBytesCount – Number of ESP bytes sent.
  • outPacketsCount – Number of ESP packets sent.
  • peerIpAddr –Remote IP address.
  • remoteSpi – Remote Security Policy Index (SPI).

ipsecSaStatus <local spi>

IPsec SA status. The fields displayed include:

  • bytesRemaining – Number of bytes remaining if used for SA lifetime.
  • encType – Encryption type (aes).
  • ikeSaIndex – Unique internally-assigned ID.
  • ikeVersion – The IKE version of this IPsec configuration.
  • integrityType – Integrity type (sha1/md5).
  • localSelector – Local SA traffic selector
  • localSPI – Local Security Policy Index (SPI) name
  • localTerminationAddr – IP Address of the local termination point 
  • remoteSelector – Remote SA traffic selector
  • remoteSPI – Remote SPI name
  • remoteTerminationAddr – IP Address of the remote termination point
  • secondsRemaining – Number of seconds remaining in SA lifetime.
  • selectorName – Name of the Security Policy Database (SPD) used for this SA
  • upperLayerProtocol – Upper layer protocol of the SA.
peer

IPsec remote key management protocol details for the peer. The fields displayed include:

  • name
  • ipAddress
  • protocol
  • type
  • ipAddress
  • domainName
  • ipAddressVar
  • type
  • ipAddress
  • domainName
  • preSharedKey
  • protectionProfile

NOTE: This command applies to the 'show table' command only.

spd

IPsec security policy configuration. The fields displayed include:

  • name
  • state
  • precedence
  • localIpAddr
  • localIpPrefixLen
  • localPort
  • remoteIpAddr
  • remoteIpPrefixLen
  • remotePort
  • protocol
  • action
  • mode
  • protectionProfile
  • peer
  • localIpAddrVar

NOTE: This command applies to the 'show table' command only.

systemStatistics <sys name>

IPsec system statistics.

  • ikeSaNegotiationsFailed – Number of phase-1 (Main Mode) Security Association negotiation failures.
  • ikeSaNegotiationsSucceeded – Number of phase-1 (Main mode) Security Association negotiations resulting in a phase-1 SA being established.
  • inPacketDiscardDiscarded – Number of incoming Internet Security Association and Key Management Protocol (ISAKMP) packets discarded as a result of matching a discard SPD rule.
  • inPacketDiscardInvalidSpi – Number of incoming ESP packets discarded due to their SPI not matching an existing phase-2 SA.
  • inPacketDiscardNoState – Number of incoming ISAKMP packets discarded as a result of matching a discard no state rule.
  • inPacketDiscardProtected – Number of incoming ISAKMP packets discarded as a result of matching a protect SPD rule.
  • inPacketDiscardSAExpired – Number of incoming ESP packets discarded since they arrived on a phase-2 SA that has expired.
  • inPacketDiscardSelectorMismatch – Number of Incoming ESP packets discarded due to selector mismatch.
  • ipsecSaNegotiationsFailed – Number of phase-2 (Quick Mode) Security Association negotiation failures.
  • ipsecSaNegotiationsSucceeded – Number of successful phase-2 (Quick Mode) Security Association negotiations.
  • outPacketDiscardDiscarded – Number of outgoing ISAKMP packets discarded as a result of matching a discard SPD rule.
  • outPacketDiscardProtected – Number of outgoing ISAKMP packets discarded as a result of matchinga protect SPD rule.
  • outPacketDiscardSAExpired – Number of outgoing ESP packets discarded since they are for a phase-2 SA that has expired.
  • outPacketDiscardSSNWrap – Number of outgoing ESP packets discarded due to wrapping around of the sequence number.

NOTE: The value of inPacketDiscardInvalidSpi will always be 0 on theas it does not store this statistic internally.


 

 

 

The following objects only apply when using the 'show table addressContext' command:

peer, spd

 

  • No labels