< Home

display ikev2 statistics

Function

The display ikev2 statistics command displays statistics on IPSec tunnels negotiated using IKEv2.

Format

display ikev2 statistics { error | notify-info | packet | sa }

Parameters

Parameter

Description

Value

error

Displays error statistics on IPSec tunnels negotiated using IKEv2.

-

notify-info

Displays notification message statistics on IPSec tunnels negotiated using IKEv2.

-

packet

Displays packet statistics on IPSec tunnels negotiated using IKEv2.

-

sa

Displays SA statistics on IPSec tunnels negotiated using IKEv2.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view error, packet, SA, and notification message statistics on IPSec tunnels negotiated using IKEv2.

Example

# Display error statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics error

Error statistics:
-------------------------------------------------------------------------------
Config error:
Version error            :0
Peer address can not match with any ike peer config                  :0
Phase1 proposal mismatch :0           Phase2 proposal or pfs mismatch:0
Responder dh mismatch    :0           Initiator dh mismatch          :0
Flow mismatch            :1
ID can not match with any ike peer config                            :0
Construct local id fail                                              :0
Authentication fail (may be pre-shared-key error)                    :0
Peer's flow netmask range is too wide                                :0
-------------------------------------------------------------------------------
Packet or payload error:
Invalid length           :0
Message-id unordered     :0
Unknown exchange type    :0
Invalid cookie           :6
Shortpacket              :0
Malformed message        :4
Malformed payload        :0
Rekey, not find old child:0           Rekey, old child close         :14
Exchange-type or role(initiator or responder) mismatch               :0
Unexpected critical payload, drop                                    :0
Unexpected uncritical payload, ignore                                :0
-------------------------------------------------------------------------------
Maybe ddos attack:
Responder request IKEV2_COOKIE                                       :0
Responder receive invalid cookie for IKEV2_COOKIE request            :0
Responder receive no cookie for IKEV2_COOKIE request                 :0
-------------------------------------------------------------------------------
System abnormal:
Fail decrypt             :0           Fail encrypt                   :0
Fail integrity check     :0
No memory, fail send packet                                          :0
No memory, fail process packet                                       :0
-------------------------------------------------------------------------------
System limited:
First packet speed limited :0               License limited          :0
-------------------------------------------------------------------------------
Table 1 Description of the display ikev2 statistics error command output
Item
Description

Error statistics

Error statistics.

Config error

Configurations are incorrect.

Version error

The IKE version does not match.

Peer address can not match with any ike peer config

The corresponding IKE peer is not found based on the peer address.

Phase1 proposal mismatch

The phase 1 IPSec proposal does not match.

Phase2 proposal or pfs mismatch

The phase 2 IPSec proposal or PFS does not match.

Responder dh mismatch

DH group match on the responder failed. (If a matching DH group is available in the algorithm list of the initiator, the responder will send an information message to the initiator to instruct the initiator to start negotiation using the matching DH group. If the initiator accepts the information message, the negotiation succeeds.)

Initiator dh mismatch

DH group match on the initiator failed. (The initiator failed to process the message requesting a matching DH group.)

Flow mismatch

The data flow does not match.

ID can not match with any ike peer config

The peer ID does not match that configured in the IKE peer.

Construct local id fail

Local ID construction failed.

Authentication fail (may be pre-shared-key error)

Authentication failed. The possible cause is that the pre-shared key does not match.

Peer's flow netmask range is too wide

The mask length of the peer flow is too large.

Packet or payload error

Incorrect packet or payload.

Invalid length

Invalid length.

Message-id unordered

Message ID out of order.

Unknown exchange type

Unknown exchange type.

Invalid cookie

Invalid cookie:

  • The corresponding SA does not exist in the received IKEv2 message that does not trigger negotiation.
  • The cookie in the IKEv2 message that triggers negotiation is 0.

Shortpacket

The packet is too short.

Malformed message

Invalid message.

Malformed payload

Invalid payload.

Rekey, not find old child

The old IPSec SA is not found for re-negotiation.

Rekey, old child close

The old IPSec SA is offline for re-negotiation.

Exchange-type or role(initiator or responder) mismatch

The exchange type or role (initiator or responder) does not match.

Unexpected critical payload, drop

The unidentified key payload is dropped.

Unexpected uncritical payload, ignore

The unidentified key payload is ignored.

Maybe ddos attack

Maybe DDoS attacks occur.

Responder request IKEV2_COOKIE

The device requests a cookie when the SA in negotiation status exceeds the threshold.

Responder receive invalid cookie for IKEV2_COOKIE request

The received cookie is invalid.

Responder receive no cookie for IKEV2_COOKIE request

No cookie is received.

System abnormal

The system is abnormal.

Fail decrypt

Decryption failed.

Fail encrypt

Encryption failed.

Fail integrity check

Integrity check failed.

No memory, fail send packet

Packet sending failed due to insufficient memory.

No memory, fail process packet

Packet parsing failed due to insufficient memory.

System limited

System restriction.

First packet speed limited

The rate of the first packet is limited.

License limited

License restriction.

# Display notification message statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics notify-info

Ikev2 notification statistics:
-------------------------------------------------------------------------------
Notification:
INVALID_IKE_SPI notification                send:0          receive:0
INVALID_MAJOR_VERSION notification          send:0          receive:0
INVALID_SYNTAX notification                 send:0          receive:0
INVALID_IPSEC_SPI notification              send:0          receive:0
INVALID_KE_PAYLOAD notification             send:0          receive:0
SINGLE_PAIR_REQUIRED notification           send:0          receive:0
NO_ADDITIONAL_SA notification               send:0          receive:0
TS_UNACCEPTABLE notification                send:0          receive:0
INVALID_IPSEC_SELECTORS notification        send:0          receive:0
INITIAL_CONTACT payload                     send:0          receive:0
SET_WINDOW_SIZE payload                     send:0          receive:0
NAT_DETECTION_SOURCE_IP payload             send:0          receive:0
NAT_DETECTION_DESTINATION_IP payload        send:0          receive:0
USE_TRANSPORT_MODE notification             send:0          receive:0
REKEY_SA notification                       send:0          receive:0
ESP_TFC_PADDING_NOT_SUPPORTED payload       send:0          receive:0
AUTH_LIFETIME payload                       send:0          receive:0
REDIRECT payload                            send:0          receive:0
DELETE_OLD_CHILDSA notification             send:0          receive:0
DSCP payload                                send:0          receive:0
IKEV2_FRAGMENTATION_SUPPORTED payload       send:0          receive:0
-------------------------------------------------------------------------------
Table 2 Description of the display ikev2 statistics notify-info command output
Item
Description

Ikev2 notification statistics

IKEv2 notification message statistics.

Notification

IKEv2 notification message.

INVALID_IKE_SPI notification

Invalid IKE SPI notification message.

INVALID_MAJOR_VERSION notification

Invalid Major version number notification message.

INVALID_SYNTAX notification

Invalid syntax notification message.

INVALID_IPSEC_SPI notification

Invalid IPSec SPI notification message.

INVALID_KE_PAYLOAD notification

Incorrect KE payload.

SINGLE_PAIR_REQUIRED notification

Single_Pair_Required notification message.

NO_ADDITIONAL_SA notification

No additional SA notification message.

TS_UNACCEPTABLE notification

Invalid TS payload.

INVALID_IPSEC_SELECTORS notification

Invalid IPSec Selectors notification message.

INITIAL_CONTACT payload

Initial_Contact notification message.

SET_WINDOW_SIZE payload

Set_Window_Size notification message.

NAT_DETECTION_SOURCE_IP payload

NAT source IP notification message.

NAT_DETECTION_DESTINATION_IP payload

NAT destination IP notification message.

USE_TRANSPORT_MODE notification

Transport mode notification message.

REKEY_SA notification

SA re-negotiation notification message.

ESP_TFC_PADDING_NOT_SUPPORTED payload

ESP_TFC_Padding_Not_Supported notification message.

AUTH_LIFETIME payload

Auth_Lifetime notification message.

REDIRECT payload

Redirection notification message.

DELETE_OLD_CHILDSA notification

Delete_Old_ChildSa notification message.

DSCP payload

DSCP notification message.

IKEV2_FRAGMENTATION_SUPPORTED payload

IKEV2_FRAGMENTATION_SUPPORTED notify payload message.

send

Number of sent messages.

receive

Number of received messages.

# Display packet statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics packet

Packet statistics:
-------------------------------------------------------------------------------
Ike_init request  send   :0           Ike_init request   recv   :0
Ike_init response recv   :0           Ike_init response  send   :0
Ike_auth request  send   :0           Ike_auth request   recv   :0
Ike_auth response recv   :0           Ike_auth response  send   :0
Create_child req  send   :0           Create_child req   recv   :0
Create_child resp recv   :0           Create_child resp  send   :0
Ike_info request  send   :0           Ike_info request   recv   :0
Ike_info response recv   :0           Ike_info response  send   :0
Del_info request  send   :0           Del_info request   recv   :0
Del_info response recv   :0           Del_info response  send   :0
DPD_info request  send   :0           DPD_info request   recv   :0
DPD_info response recv   :0           DPD_info response  send   :0
DPD_info req recv drop   :0           DPD_info resp recv drop   :0
Fragment message  send   :0           Fragment message   recv   :0
Fragment packet   send   :0           Fragment packet    recv   :0

Ike_init request resend  :0
Ike_auth request resend  :0
Create_child req resend  :0
Ike_info request resend  :0
-------------------------------------------------------------------------------
Table 3 Description of the display ikev2 statistics packet command output

Item

Description

Packet statistics

IPSec packet statistics.

Ike_init request send

Number of sent IKE SA initialization exchange (ike_init) request packets.

Ike_init request recv

Number of received ike_init request packets.

Ike_init response recv

Number of received ike_init response packets.

Ike_init response send

Number of sent ike_init response packets.

Ike_auth request send

Number of sent IKE authentication exchange (ike_auth) request packets.

Ike_auth request recv

Number of received ike_auth request packets.

Ike_auth response recv

Number of received ike_auth response packets.

Ike_auth response send

Number of sent ike_auth response packets.

Create_child req send

Number of sent IPSec SA for sub-tunnel creation (create_child) request packets.

Create_child req recv

Number of received create_child request packets.

Create_child resp recv

Number of received create_child response packets.

Create_child resp send

Number of sent create_child response packets.

Ike_info request send

Number of sent IKE notification exchange (ike_info) request packets.

Ike_info request recv

Number of received ike_info request packets.

Ike_info response recv

Number of received ike_info response packets.

Ike_info response send

Number of sent ike_info response packets.

Del_info request send

Number of sent tunnel information deletion (del_info) request packets.

Del_info request recv

Number of received del_info request packets.

Del_info response recv

Number of received del_info response packets.

Del_info response send

Number of sent del_info response packets.

Dpd_info request send

Number of sent DPD information (dpd_info) request packets.

Dpd_info request recv

Number of received dpd_info request packets.

Dpd_info response recv

Number of received dpd_info response packets.

Dpd_info response send

Number of sent dpd_info response packets.

Dpd_info req recv drop

Number of received dpd_info request packets that are dropped.

Dpd_info resp recv drop

Number of received dpd_info response packets that are dropped.

Fragment message send

Number of sent fragment messages.

Fragment message recv

Number of received fragment messages.

Fragment packet send

Number of sent fragment packets.

Fragment packet recv

Number of received fragment packets.

Ike_init request resend

Number of retransmitted ike_init requests.

Ike_auth request resend

Number of retransmitted ike_auth requests.

Create_child req resend

Number of retransmitted create_child requests.

Ike_info request resend

Number of retransmitted ike_info requests.

# Display SA statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics sa

Sa establish and offline statistic:
-------------------------------------------------------------------------------
Establish:
Initiator request phase1 negotiation                           :33
Initiator request phase2 negotiation                           :16
Initiator request and success phase1 negotiation               :10
Initiator request and success phase2 negotiation               :41
Responder response phase1 negotiation                          :0
Responder response phase2 negotiation                          :0
Responder response and success phase1 negotiation              :0
Responder response and success phase2 negotiation              :0
Offline:
Receive delete info      :1           Config modify            :0
Manual reset             :1           Dpd timeout              :0
Phase1 hardware expire   :0           Phase2 hardware expire   :0
Phase1 replace           :0           Phase2 replace           :0
Aaa cut user             :0           Reauth timeout           :0
Flow overlap             :0           IP address syn failed    :0
Port mismatch            :0           Kick old SA              :0
CPU table updated        :0           SPI conflict             :0
EAP delete old sa        :0           Hash gene adjusted       :0
-------------------------------------------------------------------------------
Table 4 Description of the display ikev2 statistics sa command output

Item

Description

Sa establish and offline statistic

SA establishment and deletion information.

Establish

Statistics on established IPSec tunnels.

Initiator request phase1 negotiation

Number of times that the initiator requests phase 1 negotiation.

Initiator request phase2 negotiation

Number of times that the initiator requests phase 2 negotiation.

Initiator request and success phase1 negotiation

Number of times that the initiator succeeds in requesting phase 1 negotiation.

Initiator request and success phase2 negotiation

Number of times that the initiator succeeds in requesting phase 2 negotiation.

Responder response phase1 negotiation

Number of times that the responder responds to phase 1 negotiation.

Responder response phase2 negotiation

Number of times that the responder responds to phase 2 negotiation.

Responder response and success phase1 negotiation

Number of times that the responder succeeds in responding to phase 1 negotiation.

Responder response and success phase2 negotiation

Number of times that the responder succeeds in responding to phase 2 negotiation.

Offline

Statistics on deleted IPSec tunnels.

Receive delete info

Number of times that the device receives tunnel deletion messages.

Config modify

Number of times that the tunnel is deleted by modifying the configuration.

Manual reset

Number of times that the tunnel is deleted manually.

Phase1 hardware expire

Number of times that the phase 1 tunnel is deleted due to hard timeout.

Phase2 hardware expire

Number of times that the phase 2 tunnel is deleted due to hard timeout.

Phase1 replace

Number of phase 1 tunnel re-negotiation times.

Phase2 replace

Number of phase 2 tunnel re-negotiation times.

Aaa cut user

Number of tunnel deletion times caused by forced user offline.

Dpd timeout

Number of tunnel deletion times caused by DPD timeout.

Reauth timeout

Number of tunnel deletion times caused by re-authentication timeout.

Flow overlap

Number of tunnel deletion times caused by the conflict between the IP address in the encrypted flow and remote IP address.

IP address syn failed

Number of tunnel deletion times caused by the failure to synchronize IP addresses.

Port mismatch

Number of tunnel deletion times caused by the UDP port mismatch.

Kick old SA

Number of tunnel deletion times caused by a flow conflict.

CPU table updated

Number of tunnel deletion times caused by a CPU table update.

SPI conflict

Number of tunnel deletion times caused by an SPI conflict.

EAP delete old sa

Number of times the device deletes the old SA during EAP authentication.

Hash gene adjusted

Number of tunnel deletion times caused by hash factor adjustment.
Parent Topic: IPSec Configuration Commands (IPSec Efficient VPN)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >