close

keyboard_arrow_left

Table of Contents Expand all

list Table of Contents

English

show security group-vpn server kek security-associations

date_range 19-Nov-23

arrow_backward

arrow_forward

Syntax

content_copy zoom_out_map
show security group-vpn server kek security-associations [brief | detail] [group group-name | group-id group-id | index sa-index]

Description

Display configured server-member communications. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 Series Firewalls and vSRX Virtual Firewall instances.

Options

none—Display server-member communications configured for all groups.
brief—(Optional) Display summary output.
detail—(Optional) Display detailed output.
group—(Optional) Display server-member communications configured for the specified group.
group-id—(Optional) Display server-member communications configured for the specified group.
index—(Optional) Display information for a particular SA based on the index number of the SA. To obtain the index number for a particular SA, display the list of existing SAs by using the command with no options.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security group-vpn server kek security-assocationscommand. Output fields are listed in the approximate order in which they appear.

Table 1: show security group-vpn server kek security-associations Output Fields
Field Name	Field Description
`Index`	Index number of an SA. This number is an internally generated number you can use to display information about a single SA.
`Remote Address`	Identifier of the remote/peer. Because there could be multiple members, the remote address always contains the IP address 0.0.0.0.
`State`	State of the KEK security associations: `DOWN`—SA is not active. `UP`—SA is active.
`Initiator cookie`	Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server.
`Responder cookie`	Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server.
`GroupId`	Group identifier.
`KEK Peer`	IP address of the destination peer with which the local peer communicates. For KEK SAs, it always contains 0.0.0.0 which means any IP address.
`Role`	For the server, it is always initiator.
`Authentication method`	RSA is the supported authentication method.
`Local`	Address of the local peer.
`Remote`	Address of the remote peer.
`Lifetime`	Number of seconds remaining until the IKE SA expires.
`Algorithms`	Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the Phase 2 process: `Sig-hash`—Type of authentication algorithm used. `sha-256`—Secure Hash Algorithm 256 authentication. `sha-384`—Secure Hash Algorithm 384 authentication. `Encryption`—Type of encryption algorithm used. `aes-256-cbc`—Advanced Encryption Standard (AES) 256-bit encryption. `aes-192-cbc`— AES192-bit encryption `aes-128-cbc`—AES 128-bit encryption.
`Traffic statistics`	`Input bytes—`Number of bytes received. `Output bytes—`Number of bytes transmitted. `Input packets—`Number of packets received. `Output packets—`Number of packets transmitted.
`Server Info Version`	Identify the latest set of information maintained in the server.
The following fields are the configured `server-member-communication` options:
`Server Replay Window`	Antireplay time in milliseconds. This is 0 if antireplay is disabled.
`Retransmission Period`	Number of seconds between a rekey transmission and the first retransmission when there is no reply from the member.
`Number of Retransmissions`	For unicast communications, the number of times the server retransmits rekey messages to a member when there is no reply.
`Lifetime Seconds`	Configured lifetime, in seconds, for the KEK.
`Group Key Push sequence number`	Sequence number of the KEK SA groupkey-push message. This number is incremented with every groupkey-push message.

Sample Output