You can run the display ipsec packet statistics command to view IPSec packet statistics, including statistics about incoming or outgoing packets that are protected, statistics about encrypted and decrypted packets, detailed statistics about discarded packets that are protected, and statistics about IKE negotiation related packets. The IPSec packet statistics facilitate IPSec fault diagnosis and maintenance.
PrecautionsThe display ipsec packet statistics command only displays the number of plaintext bytes.
# Display statistics about all IPSec packets.
<HUAWEI> display ipsec packet statistics IPSec statistics information: Number of IPSec tunnels: 1 Number of standby IPSec tunnels: 0 the security packet statistics: input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 0, recv chip: 0, send err: 0 local cpu: 0, other cpu: 0, recv other cpu: 0 intact packet: 0, first slice: 0, after slice: 0 the decrypt packet statistics: send chip: 0, recv chip: 0, send err: 0 local cpu: 0, other cpu: 0, recv other cpu: 0 reass first slice: 0, after slice: 0 dropped security packet detail: can not find SA: 0, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0 flow err: 0, slice err: 0, byte limit: 0 negotiate about packet statistics: IKE fwd packet ok: 0, err: 0 IKE ctrl packet inbound ok: 0, outbound ok: 0 SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 0, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0
Item
|
Description |
|---|---|
| IPSec statistics information | Statistics about IPSec packets. |
| Number of IPSec tunnels | Number of the IPSec tunnels. |
| Number of standby IPSec tunnels | Number of the standby IPSec tunnels. |
| the security packet statistics | Statistics about packets that are protected. |
| input/output security packets | Number of incoming or outgoing packets that are protected. |
| input/output security bytes | Number of incoming or outgoing bytes that are protected. |
| input/output dropped security packets | Number of discarded incoming or outgoing packets that are protected. |
| the encrypt packet statistics | Statistics about encrypted packets. |
| send chip | Number of packets sent to the hardware for encryption and decryption. |
| recv chip | Number of packets encrypted and decrypted by hardware. |
| send err | Number of packets that fail to be sent to hardware for encryption and decryption. |
| local cpu | Number of packets encrypted and decrypted by the local CPU. |
| other cpu | Number of packets forwarded to another CPU for encryption and decryption. |
| recv other cpu | Number of packets received from another CPU for encryption and decryption. |
| intact packet | Number of non-fragmented encrypted packets. |
| first slice | Number of initial fragmented packets. |
| after slice | Number of non-initial fragmented packets. |
| the decrypt packet statistics | Statistics about decrypted packets. |
| reass first slice | Number of initial packets that are reassembled. |
| after slice | Number of non-initial packets that are reassembled. |
| dropped security packet detail | Detailed statistics about discarded packets that are protected. |
| can not find SA | Number of packets for which SAs are not found. |
| wrong SA | Number of packets with invalid SAs. |
| authentication | Number of packets that fail to be authenticated. |
| replay | Number of discarded packets due to replay check. |
| front recheck | Number of discarded packets due to IPSec pre-check. |
| after recheck | Number of discarded packets due to IPSec post-check. |
| change cpu enc | Number of encrypted packets that fail to be forwarded. |
| dec change cpu | Number of decrypted packets that fail to be forwarded. |
| fib search | Number of encrypted packets that are discarded due to route searching failure. |
| output l3 | Number of encrypted packets that fail to be sent. |
| flow err | Number of packets discarded because negotiation is triggered. |
| slice err | Number of IPSec packets that fail to be fragmented. |
| byte limit | Number of discarded packets due to traffic limit. |
| negotiate about packet statistics | Statistics about IKE negotiation packets. |
| IKE fwd packet ok | Number of IKE packets sent to the IKE process. |
| err | Number of IKE packets that fail to be sent to the IKE process. |
| IKE ctrl packet inbound ok | Number of IKE packets received by the control plane. |
| outbound ok | Number of IKE packets sent by the control plane. |
| SoftExpr | Number of traffic soft timeouts. |
| HardExpr | Number of traffic hard timeouts. |
| DPDOper | Number of times DPD is performed in on-demand DPD mode. |
| trigger ok | Number of times that negotiation is triggered. |
| switch sa | Number of times the local device receives data encrypted with the new SA and instructs the IKE process to replace the SA. |
| sync sa | Number of times the active device notifies the IKE process that the SA triplet (remote address, SPI, protocol ID) does not exist on the standby device. |
| recv IKE nat keepalive | Number of received IKE nat keepalive packets. |
| IKE input | Number of received IKE packets. |