< Home

display ipsec history record

Function

The display ipsec history record command displays history information about IPSec tunnels.

Format

display ipsec history record [ remote-address remote-address ]

Parameters

Parameter

Description

Value
remote-address remote-address Displays history information about the IPSec tunnel with the specified remote IP address. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipsec history record command to view the reason and time of the last teardown of the IPSec tunnel.

Example

# Display history information about IPSec tunnels.

<HUAWEI> display ipsec history record
IPSec history record:
Current record number: 1
===============================
Interface              : Vlanif100
remote-address         : 2.1.1.1
remote-port            : 500
VPN instance           : huawei
flow-source            : 10.1.1.1/255.255.255.255
flow-destination       : 10.2.2.2/255.255.255.255  
last-offline-reason    : peer request
last-offline-time      : 2017-07-17 20:25:31
offline-times-in-24Hour: 1
Table 1 Description of the display ipsec history record command output

Item

Description
IPSec history record Display history information about IPSec tunnels.
Current record number Current record number of the teardown of the IPSec tunnel.
Interface Interface to which an IPSec policy is applied.
remote-address Remote IP address of an IPSec tunnel.
remote-port Remote UDP port number.
VPN instance Name of a VPN instance.
flow-source Source address segment of data flows.
flow-destination Destination address segment of data flows.
last-offline-reason

Reason of the last teardown of an IPSec tunnel.

  • dpd timeout: Dead peer detection (DPD) times out.
  • peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expiry: Hard lifetime expires in phase 2.
  • heartbeat timeout: heartbeat detection times out.
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.
last-offline-time Last time an IPSec tunnel was torn down.
offline-times-in-24Hour Number of times an IPSec tunnel was torn down within 24 hours.
Parent Topic: IPSec Configuration Commands (IPSec Efficient VPN)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >