Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security ipsec statistics

Syntax

Description

Display standard IPsec statistics.

Options

  • none—Display statistics about all IPsec security associations (SAs).

  • fpc slot-number —Specific to SRX Series Firewalls. Display statistics about existing IPsec SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.

  • index SA-index-number —(Optional) Display statistics for the SA with this index number.

  • srg-id id-number —(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

  • pic slot-number —Specific to SRX Series Firewalls. Display statistics about existing IPsec SAs in this PIC slot. This option is used to filter the output.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ipsec statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec statistics Output Fields

Field Name

Field Description

Virtual-system

The root system.

ESP Statistics

  • Encrypted bytes—Total number of bytes encrypted by the local system across the IPsec tunnel.

  • Decrypted bytes—Total number of bytes decrypted by the local system across the IPsec tunnel.

  • Encrypted packets—Total number of packets encrypted by the local system across the IPsec tunnel.

  • Decrypted packets—Total number of packets decrypted by the local system across the IPsec tunnel.

AH Statistics

  • Input bytes—Total number of bytes received by the local system across the IPsec tunnel.

  • Output bytes—Total number of bytes transmitted by the local system across the IPsec tunnel.

  • Input packets—Total number of packets received by the local system across the IPsec tunnel.

  • Output packets—Total number of packets transmitted by the local system across the IPsec tunnel.

Errors

  • AH authentication failures—Total number of authentication header (AH) failures. An AH failure occurs when there is a mismatch of the authentication header in a packet transmitted across an IPsec tunnel.

  • Replay errors—Total number of replay errors. A replay error is generated when a duplicate packet is received within the replay window.

  • ESP authentication failures—Total number of Encapsulation Security Payload (ESP) failures. An ESP failure occurs when there is an authentication mismatch in ESP packets.

  • ESP decryption failures—total number of ESP decryption errors.

  • Bad headers—Total number of invalid headers detected.

  • Bad trailers—Total number of invalid trailers detected.

  • Invalid SPI— Total number of invalid SPIs packets detected.

  • TS check fail— Total number of TS check fail detected.

  • Discarded— Total number of discarded packets detected.

Multi-sa tunnel statistics

  • FC-name—Forwarding class name for the child security association.

  • Encrypted pkts—Total number of encrypted packets for a forwarding class.

  • Encrypted bytes—Total encrypted bytes for a forwarding class.
  • Decrypted pkts—Total number of encrypted packets for a forwarding class.

  • Decrypted bytes—Total encrypted bytes for a forwarding class.

Sample Output

show security ipsec statistics

show security ipsec statistics index 131073

Starting with Junos OS Release 18.2R1, the CLI show security ipsec statistics index 131073 index-number output displays statistics for each forwarding class name.

show security ipsec statistics fpc 6 pic 1 (SRX Series Firewalls)

show security ipsec statistics (MX-SPC3)

Starting with Junos OS Release 21.3R1, a new field Tunnel MTU in the output of the CLI show security ipsec statistics displays the option configured under ipsec vpn hub-to-spoke-vpn tunnel-mtu hierarchy.

show security ipsec statistics srg-id <srg-id>

show security ipsec statistics (MX304)

show security ipsec statistics index <index-number> (forwarding class details)

Release Information

Command introduced in Junos OS Release 8.5. fpc and pic options added in Junos OS Release 9.3.

Support for the ha-link-encryption option added in Junos OS Release 20.4R1.

Support for the srg-id option added in Junos OS Release 22.4R1.