show security idp counters tcp-reassembler
Syntax
show security idp counters tcp-reassembler <logical-system (logical-system-name | all)> <tenant tenant-name>
Description
Displays the status of all TCP reassembler counter values.
On SRX Series Firewalls with IDP enabled, if IDP attacks are configured for a single direction (server or client), a flow in the opposite direction does not need IDP processing. For TCP traffic, the TCP optimization feature ensures minimal processing for these flows without running into reassembly errors.
Options
| none | Displays the status of all TCP reassembler counter values. |
| logical-system logical-system-name | (Optional) Displays the status of all TCP reassembler counter values for a specific logical system. |
| logical-system all | (Optional) Displays the status of all TCP reassembler counter values for all logical systems. |
| tenant tenant-name | (Optional) Displays the status of all TCP reassembler counter values for a specific tenant system. |
Required Privilege Level
view
Output Fields
Table 1 lists the output
fields for the show security idp counters tcp-reassembler command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
|---|---|
(Unsupported) |
Number of packets that have incorrect TCP checksums. |
|
Number of bad TCP headers detected. |
|
Number of segments that are sent through the slow path if the TCP segment does not pass fast-path segment validation. |
|
Number of segments that are sent through the fast path after passing a predefined TCP validation sequence. |
|
Number of TCP segments that are sent through optimized re-assembly process from server to client. |
|
Number of TCP segments that are sent through optimized re-assembly process from server to client. |
|
Number of packets that wrap around of the sequence number. |
|
Number of sessions that reused an already established TCP session. |
|
Number of SYN packets that are retransmitted. |
|
Number of packets that have incorrect three-way handshake acknowledgements (ACK packet). |
|
Number of packets that have out-of-sync sequence numbers. |
|
Number of queued packets that have fast path pattern match. |
|
Number of new segments that do not overlap with old segment. |
|
Number of new segments that overlap with beginning of old segment. |
|
Number of new segments that overlap completely with old segment. |
|
Number of new segments contained in old segment. |
|
Number of new segments that overlap with the end of old segment. |
|
Number of new segments that overlap after the end of old segment. |
|
Memory that is consumed by the new segment. |
|
Peak memory that is consumed by the new segment. |
|
Number of segments that are stored in memory for processing. |
|
Number of segments dropped after reaching per flow memory limit. |
|
Number of segments dropped after reaching reassembler global memory limit. |
|
Number of packets that are dropped due to memory overflow. |
(Unsupported) |
Number of packets copied in reassembler. |
|
Number of Ack packets seen without having seen SYN on the same session. |
|
Number of Invalid ACKs received from server during 3-way handshake. |
|
Number of simultaneous syn packets seen. |
|
Number of C2S Syn/Ack packets seen. |
|
Number of segments falling left of receive window. |
|
Number of segments falling right of receive window. |
|
Number of Syn packets seen after connection establishment. |
|
Number of packets seen without ACK after connection establishment. |
|
Number of unexpected FIN packets seen. |
|
Number of Syn/Ack packets with different SEQ numbers. |
Sample Output
- show security idp counters tcp-reassembler
- show security idp counters tcp-reassembler logical-system LSYS1
show security idp counters tcp-reassembler
user@host> show security idp counters tcp-reassembler IDP counters: IDP counter type Value Bad TCP checksums 0 Bad TCP headers 0 Slow path segments 90 Fast path segments 7099 Tcp Optimized s2c segments 0 Tcp Optimized c2s segments 0 Sequence number wrap around errors 0 Session reuses 0 SYN retransmissions 0 Bad three way handshake acknowledgements 0 Sequence number out of sync flows 0 Fast path pattern matches in queued up streams 0 New segments with no overlaps with old segment 0 New segment overlaps with beginning of old segment 0 New segment overlaps completely with old segment 0 New segment is contained in old segment 0 New segment overlaps with end of old segment 0 New segment begins after end of old segment 3 Memory consumed by new segment 0 Peak memory consumed by new segments 3821 Segments in memory 0 Per-flow memory overflows 0 Global memory overflows 0 Overflow drops 0 Copied packets 0 Closed Acks 3 Ack Validation failure 0 Simultanious syn 0 C2S synack 0 segment to left of receiver window 0 segment to right of receiver window 0 SYN seen in the window 0 ACK bit is off 0 Unexpected FIN 0 Duplicate Syn/Ack with different SEQ 0
show security idp counters tcp-reassembler logical-system LSYS1
user@host> show security idp counters tcp-reassembler logical-system LSYS1 IDP counters: IDP counter type Value Bad TCP checksums 0 Bad TCP headers 0 Slow path segments 37 Fast path segments 27 Tcp Optimized s2c segments 0 Tcp Optimized c2s segments 0 Sequence number wrap around errors 0 Session reuses 0 SYN retransmissions 0 Bad three way handshake acknowledgements 0 Sequence number out of sync flows 0 Fast path pattern matches in queued up streams 0 New segments with no overlaps with old segment 0 New segment overlaps with beginning of old segment 0 New segment overlaps completely with old segment 0 New segment is contained in old segment 0 New segment overlaps with end of old segment 0 New segment begins after end of old segment 0 Memory consumed by new segment 0 Peak memory consumed by new segments 2021 Segments in memory 0 Per-flow memory overflows 0 Global memory overflows 0 Overflow drops 0 Overflow drops - missing packets 0 Copied packets 0 Closed Acks 0 Ack Validation failure 0 Simultanious syn 0 C2S synack 0 segment to left of receiver window 0 segment to right of receiver window 0 SYN seen in the window 0 ACK bit is off 0 Unexpected FIN 0 Duplicate Syn/Ack with different SEQ 0
Release Information
Command introduced in Junos OS Release 9.2.
logical-system option introduced in Junos OS Release 18.3R1.
tenant option introduced in Junos OS Release 19.2R1.