close

keyboard_arrow_left

Table of Contents Expand all

list Table of Contents

English

show security ipsec inactive-tunnels

date_range 02-Aug-24

arrow_backward

arrow_forward

Syntax

content_copy zoom_out_map
show security ipsec inactive-tunnels       
brief | detail
family (inet  | inet6)
fpc slot-number
index index-number
kmd-instance (all | kmd-instance-name)
node-local
pic slot-number
srg-id id-number
sa-type shortcut
vpn-name vpn-name

Description

Display security information about the inactive tunnel.

Options

none—Display information about all inactive tunnels.
brief | detail—(Optional) Display the specified level of output.
family—(Optional) Display the inactive tunnel by family. This option is used to filter the output.
- inet—IPv4 address family.
- inet6—IPv6 address family.
fpc slot-number—(Optional) Display information about inactive tunnels in the Flexible PIC Concentrator (FPC) slot.
index index-number—(Optional) Display detailed information about the specified inactive tunnel identified by this index number. For a list of all inactive tunnels with their index numbers, use the command with no options.
kmd-instance —(Optional) Display information about inactive tunnels in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number.
- all—All KMD instances running on the Services Processing Unit (SPU).
- kmd-instance-name—Name of the KMD instance running on the SPU.
node-local—(Optional) Display information about inactive tunnels for node-local tunnels in a Multinode High Availability setup.
pic slot-number—Display information about inactive tunnels in the PIC slot.
sa-type shortcut—(Optional) It's applicable for ADVPN. Display information about inactive tunnels by type shortcut.
vpn-name vpn-name—(Optional) Name of the VPN.
srg-idid-number—(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

The fpc slot-number, kmd-instance (all | kmd-instance-name), and pic slot-number parameters apply to SRX5600 and SRX5800 devices only.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ipsec inactive-tunnelscommand. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec inactive-tunnels Output Fields
Field Name	Field Description
`Total inactive tunnels`	Total number of inactive IPsec tunnels.
`Total inactive tunnels which establish immediately`	Total number of inactive IPsec tunnels that can establish a session immediately.
`ID`	Identification number of the inactive tunnel. You can use this number to get more information about the inactive tunnel.
`Gateway`	IP address of the remote gateway.
`Port`	If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.
`Def-Del#`	Number of deferred deletions of a dial-up IPsec VPN.
`Virtual system`	Virtual system to which the VPN belongs.
`VPN name`	Name of the IPsec VPN.
`Local gateway`	Gateway address of the local system.
`Remote gateway`	Gateway address of the remote system.
`Traffic Selector Name`	For IPsec running KMD process - Displays the name only when traffic selector is configured. Doesn’t display anything if traffic selector is not configured. For IPsec running IKED-NG process, by default - Displays the name when traffic selector is configured. Displays the name as `default_proxyid` when `proxy-identity` is configured. Displays the name as `default_any_any` when traffic selector is not configured. See show security ipsec inactive-tunnels detail, for more details.
`Local identity`	Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). Displays `proxy-identity` when configured for IPsec running either KMD or IKED-NG process. Displays `0.0.0.0` when `proxy-identity` is not configured. See show security ipsec inactive-tunnels detail, for more details.
`Remote identity`	Identity of the destination peer gateway. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). Displays `proxy-identity` when configured for IPsec running either KMD or IKED-NG process. Displays `0.0.0.0` when `proxy-identity` is not configured. See show security ipsec inactive-tunnels detail, for more details.
`Version`	Version of IKE.
`Passive Mode Tunneling`	IPsec tunneling of malformed packets; enabled if set or disabled if not set.
`DF-bit`	State of the don't fragment bit: `set` or `clear`.
`Bind-interface`	The tunnel interface to which the route-based VPN is bound.
`Policy-name`	Name of the applicable policy.
`Tunnel Down Reason`	Reason for which the tunnel is inactive.
`Tunnel events`	Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.

Sample Output

show security ipsec inactive-tunnels
show security ipsec inactive-tunnels detail
show security ipsec inactive-tunnels index 131073
show security ipsec inactive-tunnels sa-type shortcut
show security ipsec inactive-tunnels (MX-SPC3 and SRX4600) with passive mode tunneling
show security ipsec inactive-tunnels node-local

show security ipsec inactive-tunnels

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels           
Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 0
  ID     Gateway    Port  Tunnel down reason
  131073 192.168.1.2  500   Phase1 proposal mismatch detected

show security ipsec inactive-tunnels detail

For IPsec running KMD process, when both proxy-identity and traffic-selector are not configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 131073 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 192.12.0.20, Remote Gateway: 192.12.0.10
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

For IPsec running KMD process, when proxy-identity is configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 131074 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 192.12.0.20, Remote Gateway: 192.12.0.10
  Local Identity: ipv4_subnet(any:0,[0..7]=1.0.0.0/8)
  Remote Identity: ipv4_subnet(any:0,[0..7]=4.0.0.0/8)

For IPsec running KMD process, when traffic-selector is configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 67108865 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 192.12.0.20, Remote Gateway: 192.12.0.10
  Traffic Selector Name: ts1
  Local Identity: ipv4(1.0.0.0-1.255.255.255)
  Remote Identity: ipv4(4.0.0.0-4.255.255.255)

For IPsec running IKED-NG process, when traffic-selector is configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 105 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 2.0.0.1, Remote Gateway: 2.0.0.5
  Traffic Selector Name: ts1
  Local Identity: ipv4(1.0.0.0-1.255.255.255)
  Remote Identity: ipv4(4.0.0.0-4.255.255.255)

For IPsec running IKED-NG process, when traffic-selector is not configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 107 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 2.0.0.1, Remote Gateway: 2.0.0.5
  Traffic Selector Name: default_any_any_v4
  Local Identity: ipv4(0.0.0.0-255.255.255.255)
  Remote Identity: ipv4(0.0.0.0-255.255.255.255)

For IPsec running IKED-NG process, when proxy-identity is configured.

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels detail           
ID: 110 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 2.0.0.1, Remote Gateway: 2.0.0.5
  Traffic Selector Name: default_proxyid
  Local Identity: ipv4(1.0.0.0-1.255.255.255)
  Remote Identity: ipv4(4.0.0.0-4.255.255.255)

show security ipsec inactive-tunnels index 131073

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels index 131073           
ID: 131073 Virtual-system: root, VPN Name: vpn1
  Local Gateway: 192.168.1.100, Remote Gateway: 192.168.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.0
  Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel events:
    Wed Jul 16 2014 06:18:02 +0800: User cleared IPSec SA from CLI (1 times)
    Wed Jul 16 2014 06:17:58 +0800: IPSec SA negotiation successfully completed (1 times)
    Wed Jul 16 2014 06:17:54 +0800: User cleared IPSec SA from CLI (1 times)
    Wed Jul 16 2014 06:16:58 +0800: IPSec SA negotiation successfully completed (1 times)
    Wed Jul 16 2014 06:16:58 +0800: Bind interface's address received. Information updated (1 times)
    Wed Jul 16 2014 06:16:58 +0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Wed Jul 16 2014 06:16:58 +0800: External interface's address received. Information updated (1 times)
    Wed Jul 16 2014 06:16:58 +0800: Bind interface's zone received. Information updated (1 times)
    Wed Jul 16 2014 06:16:58 +0800: IKE SA negotiation successfully completed (1 times)

show security ipsec inactive-tunnels sa-type shortcut

content_copy zoom_out_map
user@host> show security ipsec inactive-tunnels sa-type shortcut           
  Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 0
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  268173322 500 0     0      40608aa9  192.168.0.105       Cleared via CLI

show security ipsec inactive-tunnels (MX-SPC3 and SRX4600) with passive mode tunneling

content_copy zoom_out_map
user@host>show security ipsec inactive-tunnels
  ID: 6 Virtual-system: root, VPN Name: vpn2
  Local Gateway: 10.0.0.2, Remote Gateway: 30.0.0.2
  Traffic Selector Name: ts2
  Local Identity: ipv4(50.0.1.0-50.0.1.255)
  Remote Identity: ipv4(140.0.1.0-140.0.1.255)
  Version: IKEv2
  Passive mode tunneling: Disabled
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: ipsec_policy
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0

show security ipsec inactive-tunnels node-local

content_copy zoom_out_map
user@host>show security ipsec inactive-tunnels node-local
  Total inactive tunnels: 0
  Total inactive tunnels with establish immediately: 0

Release Information

Command introduced in Junos OS Release 11.4R3.

Support for the passive-mode-tunneling option on MX-SPC3 is added in Junos OS Release 23.1R1.

Support for the node-local option is added in Junos OS Release 23.2R1.

arrow_backward PREVIOUS show security ipsec control-plane-security-associations

NEXT arrow_forward show security ipsec next-hop-tunnels

Junos CLI Reference

ON THIS PAGE

show security ipsec inactive-tunnels

Syntax

Description

Options

Required Privilege Level

Output Fields

Sample Output

show security ipsec inactive-tunnels

show security ipsec inactive-tunnels detail

show security ipsec inactive-tunnels index 131073

show security ipsec inactive-tunnels sa-type shortcut

show security ipsec inactive-tunnels (MX-SPC3 and SRX4600) with passive mode tunneling

show security ipsec inactive-tunnels node-local

Release Information

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry

Junos CLI Reference

ON THIS PAGE

show security ipsec inactive-tunnels

Syntax

Description

Options

Required Privilege Level

Output Fields

Sample Output

show security ipsec inactive-tunnels

show security ipsec inactive-tunnels detail

show security ipsec inactive-tunnels index 131073

show security ipsec inactive-tunnels sa-type shortcut

show security ipsec inactive-tunnels (MX-SPC3 and SRX4600) with passive mode tunneling

show security ipsec inactive-tunnels node-local

Release Information

Related Documentation

Stay in touch