show security ike active-peer
Syntax
show security ike active-peer <peer-address> <aaa-username username> <brief | detail> <debug> local-address IP address local-ike-id IKE ID local-port port number (1..65535) <fpc slot-number pic slot-number> <ike-id IKE-ID> <kmd-instance (all | kmd-instance-name)> <node-local> <pic slot-number fpc slot-number> <port port-number peer-address> <srg-id id-number> routing-instance name of the local gateway routing instance stats <ha-link-encryption>
Description
Display the list of connected active users with details about the peer addresses and ports they are using.
Options
| peer-address |
(Optional) Display details about the user with the specified peer address. |
| aaa-username username |
(Optional) Display information about the user with the specified authentication, authorization, and accounting (AAA) username. |
| brief |
(Optional) Display standard information about all users. (Default) |
| detail |
(Optional) Display detailed information about all users. |
| debug |
(Optional) Display debug information about all users. |
| local-address |
Display information about the user with the specified local gateway IP address. |
| local-ike-id |
Display information about the user with the specified local gateway IKE ID. |
| local-port port-number |
Display information about users on the specified local gateway port number for specified local gateway IP address. |
| fpc slot-number pic slot-number |
(Optional) Display information about users on the specified Flexible PIC Concentrator (FPC) slot and PIC slot. |
| ike-id IKE-ID |
(Optional) Display information about the user with the specified IKE ID. |
| kmd-instance (all | kmd-instance-name) |
(Optional) Display information about users in the key management process (KMD) identified by FPC slot-number and PIC slot-number.
|
| node-local |
—(Optional) Display information about users for node-local tunnels in a Multinode High Availability setup. |
| pic slot-number fpc slot-number |
(Optional) Display information about users on the specified PIC slot and FPC slot. |
| port port-number peer-address |
(Optional) Display information about users on the specified port for the specified peer address. |
| routing-instance |
Display information about users on the specified local gateway routing instance. |
| stats |
Display detailed output along with IKE SA stats information accumulated at the peer. |
| ha-link-encryption |
(Optional) Display information related to interchassis link (ICL) tunnel only. See ipsec (High Availability) and show security ike active-peer ha-link-encryption (SRX5400, SRX5600, SRX5800). |
| srg-id number |
(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup. |
Required Privilege Level
view
Output Fields
Table 1 lists
the output fields for the show security ike active-peer command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
Level of Output |
|---|---|---|
|
IP address of the peer. |
|
|
Port used by the peer. |
All levels |
|
IKE ID used by the peer. |
All levels |
|
Username of the peer. |
All levels |
|
IP address assigned to the peer. |
|
|
Network attributes assigned to the peer can include the IP address and netmask, and DNS and WINS server addresses. |
|
|
IP address previously assigned to the peer. |
|
|
Index number of the SA associated with the peer. This number is an internally generated number. |
|
|
Number of IKE SAs negotiated. |
|
|
Number of IPsec tunnels active. |
|
|
IDs of the active IPsec tunnels. |
|
|
DPD configuration values. |
|
|
Information about DPD operations. |
|
|
Interface name of the local gateway. |
|
|
Name of the local gateway routing instance. |
|
|
IP address of the local gateway. |
|
|
IKE ID used by local gateway. |
|
Sample Output
- show security ike active-peer
- show security ike active-peer stats
- show security ike active-peer detail
- show security ike active-peer ha-link-encryption (SRX5400, SRX5600, SRX5800)
- show security ike active-peer srg-id 1
- show security ike active-peer node-local
show security ike active-peer
user@host> show security ike active-peer Remote Address Port Peer IKE-ID AAA username Assigned IP 192.168.6.136 8034 user1tac@650a user1 192.168.80.225
show security ike active-peer stats
user@host> show security ike active-peer stats Local gateway interface: xe-1/1/2 Routing instance: default Local address: 192.0.2.1, Port: 500, Local IKE-ID : device.example.net Peer address: 198.51.100.2, Port: 500, Peer IKE-ID : device1.example.net AAA username: not available Assigned network attributes: IP Address : 192.0.2.10 , netmask : 255.255.255.0 DNS Address : 19851.100.25 , DNS2 Address : 198.51.100.26 WINS Address : 203.0.113.25 , WINS2 Address : 203.0.113.26 Assigned network attributes (IPv6): IP Address : :: , prefix : 0 DNS Address : 2001:db8:::ffff , DNS2 Address : 2001:db8::1001 Previous Peer address : 0.0.0.0, Port : 0 Active IKE SA indexes : 1 IKE SA negotiated : 1 IPSec tunnels active : 1, IPSec Tunnel IDs : 500001 IKE_SA_INIT exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 1 Response In : 0 Response Out : 1 Invalid KE Payload In : 0 Invalid KE Payload Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Cookie Request In : 0 Cookie Request Out : 0 Cookie Response Out : 0 Cookie Response In : 0 Res Invalid IKE SPI : 0 Res DH Gen Key Fail : 0 Res Verify SA Fail : 0 Res Invalid DH Group Conf: 0 Res IKE SA Fill Fail : 0 Res Get CAs Fail : 0 Res Verify DH Group Fail: 0 Res Get VID Fail : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail : 0 IKE_AUTH exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 1 Response In : 0 Response Out : 1 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Authentication Failed In: 0 Authentication Failed Out: 0 IKE SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Fill IKE SA Fail : 0 Res Verify DH Group Fail: 0 IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
show security ike active-peer detail
user@host> show security ike active-peer detail Local gateway interface: xe-1/1/2 Routing instance: default Local address: 192.0.2.1, Port: 500, Local IKE-ID : device.example.net Peer address: 198.51.100.2, Port: 500, Peer IKE-ID : device1.example.net AAA username: not available Assigned network attributes: IP Address : 192.0.2.10 , netmask : 255.255.255.0 DNS Address : 198.51.100.25 , DNS2 Address : 198.51.100.26 WINS Address : 203.0.113.25 , WINS2 Address : 203.0.113.26 Assigned network attributes (IPv6): IP Address : 5000::1 , prefix : 112 DNS Address : 1000::ffff:ffff , DNS2 Address : 1100::ffff:ffff Previous Peer address : 0.0.0.0, Port : 0 Active IKE SA indexes : 1 IKE SA negotiated : 1 IPSec tunnels active : 1, IPSec Tunnel IDs : 500001
show security ike active-peer ha-link-encryption (SRX5400, SRX5600, SRX5800)
Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details. The following command displays only interchassis link active peers and not regular active peers.
user@host> show security ike active-peer ha-link-encryption Remote Address Port Peer IKE-ID AAA username Assigned IP 23.0.0.2 500 23.0.0.2 not available 0.0.0.0
show security ike active-peer srg-id 1
user@host> show security ike active-peer srg-id 1 Remote Address Port Peer IKE-ID AAA username Assigned IP 10.112.0.1 500 10.112.0.1 not available 0.0.0.0
show security ike active-peer node-local
user@host> show security ike active-peer node-local Remote Address Port Peer IKE-ID AAA username Assigned IP 6.0.0.2 500 DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=usnot available 0.0.0.0
user@host> show security ike active-peer node-local detail Local gateway interface: xe-0/0/2.0 Routing instance: default Local address: 4.0.0.1, Port: 500, Local IKE-ID : DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Peer address: 6.0.0.2, Port: 500, Peer IKE-ID : DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us AAA username: not available Assigned network attributes: IP Address : 0.0.0.0 , netmask : 0.0.0.0 DNS Address : 0.0.0.0 , DNS2 Address : 0.0.0.0 WINS Address : 0.0.0.0 , WINS2 Address : 0.0.0.0 Assigned network attributes (IPv6): IP Address : :: , prefix : 0 DNS Address : :: , DNS2 Address : :: Previous Peer address : 0.0.0.0, Port : 0 Active IKE SA indexes : 25 IKE SA negotiated : 1 IPSec tunnels active : 1, IPSec Tunnel IDs : 500003 DPD Config Mode : always-send DPD Config Interval: 10 DPD Config Treshold: 3 DPD Config P1SA IDX: 25 DPD Stats Req sent: 5, DPD Stats Resp rcvd: 5 DPD Statistics : DPD TTL :3 DPD seq-no :0 DPD Statistics : DPD triggerd p1SA :0 DPD Reserved :0
Release Information
Command introduced in Junos OS Release 10.4. Support to display dead peer detection (DPD) statistics added in Junos OS Release 12.3X48-D10.
Support for the ha-link-encryption option added in Junos OS Release
20.4R1.
Support for the srg-id option added in Junos OS Release 22.4R1.
Support for the node-local option added in Junos OS Release 23.2R1.