display ipsec statistics
Usage Guidelines
Usage Scenario
After configuring IPsec, you can run the display ipsec statistics command to check statistics about the packets that are received, sent, or discarded by IPsec. The statistics include the following:
- Number of received and sent packets
- Number of received and sent bytes in packets
- Number of discarded incoming and outgoing packets
- Detailed information about discarded packets
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ipsec statistics IPv6 security packet statistics: Current system time: 2017-02-22 20:25:23 input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 dropped security packet detail: memory process problem: 0 can't find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 invalid SA: 0 policy deny: 0 the normal packet statistics: input/output dropped normal packets: 0/0 IPv4 security packet statistics: Current system time: 2017-02-22 20:25:23 input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 dropped security packet detail: memory process problem: 0 can't find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 invalid SA: 0 policy deny: 0 the normal packet statistics: input/output dropped normal packets: 0/0 SPU board slot 1 information: the security packet statistics: input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 the encrypt packet statistics send sae: 0, recv sae: 0, send err: 0 intact packet: 0, first slice: 0, after slice: 0 the decrypt packet statistics send sae: 0, recv sae: 0, send err: 0 reass first slice: 0, after slice: 0, len err: 0 dropped security packet detail: packet header wrong: 0, memory apply fail: 0 can't find SA: 0, wrong SA: 0 authentication: 0, replay: 0 succeed-check: 0 exceed packet limit: 0 change cpu enc: 0, dec change cpu: 0 process ipv4: 0, fib search: 0 rcv enc(dec) form sae said err: 0, 0 send port: 0, output: 0 dropped other packet detail: interface acl recheck inbound/outbound drop: 0/0 acl tcam found not match: 0 backup SA drop: 0 sae shared queue message number: 0 sae shared queue drop: 0 negotiate about packet statistics: Mpu first packets recv/send:0/0 IP packet ok:0, err:0, drop:0 IKE packet inbound ok:0, err:0 IKE packet outbound ok:0, err:0 IKE nat keepalive packet received:0 SoftExpr:0, HardExpr:0, DPDRcv/DPDSend:0/0, SwapSa:0 ModpCnt: 0, SaeSucc: 0, SoftwareSucc: 0
| Item | Description |
|---|---|
| IPv6 security packet statistics | IPv6 security packet statistics. |
| Current system time | Current time of the system. |
| input/output security packets | Number of received and sent packets. |
| input/output security bytes | Number of received and sent bytes in packets. |
| input/output dropped security packets | Number of discarded incoming and outgoing packets. |
| input/output dropped normal packets | Number of normal packets that are discarded in the receive and transmit directions. |
| dropped security packet detail | Detailed information about discarded packets. |
| memory process problem | Number of packets discarded due to storage problems. |
| can't find SA | Number of packets discarded because no SA is found. |
| queue is full | Number of packets discarded because the queue is full. |
| authentication is failed | Number of packets discarded due to authentication failures. |
| wrong length | Number of packets discarded due to incorrect length. |
| replay packet | Number of packets discarded due to duplication. |
| too long packet | Number of packets discarded due to excessive length. |
| invalid SA | Number of packets discarded due to invalid SAs. |
| policy deny | Number of packets discarded due to policy denial. |
| the normal packet statistics | Statistics about normal packets. |
| IPv4 security packet statistics | IPv4 security packet statistics. |
| negotiate about packet statistics | Statistics about negotiation packets. |
| Mpu first packets recv/send:0/0 | MPU first packet receiving/sending "0/0. |
| IP packet ok:0, err:0, drop:0 | Number of normal IP data packets: 0; number of error IP data packets: 0; number of discarded IP data packets: 0. |
| IKE packet inbound ok:0, err:0 | Number of normal incoming IKE packets: 0; number of error incoming IKE packets: 0. |
| IKE packet outbound ok:0, err:0 | Number of normal IKE packets in the outbound direction: 0; number of error IKE packets in the outbound direction: 0. |
| IKE nat keepalive packet received:0 | Number of received IKE NAT keepalive packets: 0. |
| SoftExpr:0, HardExpr:0, DPDRcv/DPDSend:0/0, SwapSa:0 | Software timeout: 0; hardware timeout: 0; DPD receiving/DOD sending: 0/0; switching SA: 0. |
| ModpCnt: 0, SaeSucc: 0, SoftwareSucc: 0 | Modulus calculation: 0, hardware encryption success: 0, software encryption success: 0. |