View IPSec Statistics

Use the following procedure to clear Internet Protocol Security (IPSec) system statistics counters and view IPSec statistics on an interface. The device only clears system statistics counters on system reboot.

Procedure

  1. To enter User EXEC mode, log on to the switch.
  2. View IPSec statistics for the system:

    show ipsec statistics system

  3. View IPSec statistics for an Ethernet interface:

    show ipsec statistics gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  4. View IPSec statistics for a VLAN interface:

    show ipsec statistics vlan <1–4059>

  5. View statistics for IPSec on the management interface:

    show ipsec statistics mgmtethernet <mgmt | mgmt2>

    Note

    Note

    This step applies to VSP 8600 Series only.

  6. View statistics for IPSec on the loopback interface:

    show ipsec statistics loopback <1–256>

  7. Clear IPSec system statistics counters:

    clear ipsec stats all

Example

View IPSec statistics. Output is partial due to length.

Switch:1>show ipsec statistics system

================================================================================
                            IPSEC Global Statistics
================================================================================
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0
InAHSuccesses        = 0
InESPSuccesses       = 0
OutAHSuccesses       = 0
OutESPSuccesses      = 0
OutKBytes            = 0
OutBytes             = 0
InKBytes             = 0
InBytes              = 0
--More-- (q = quit)

Switch:1>show ipsec statistics gigabitethernet 1/13

================================================================================
                              Ipsec  Port  Stats
================================================================================
Ifindex              = 204
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0

Switch:1>show ipsec statistics vlan 1

================================================================================
                               Ipsec  Vlan  Stats
================================================================================
Ifindex              = 2049
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0

View IPSec statistics for a loopback interface:

Switch:1>show ipsec statistics loopback 1

================================================================================
                             Ipsec  LoopBack  Stats

================================================================================
Ifindex              = 1344
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InESPReplays         = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0
Switch:1>show ipsec statistics mgmtethernet mgmt

================================================================================
                              Ipsec  Port  Stats
================================================================================
Ifindex              = 64
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InESPReplays         = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0
Switch:1>show ipsec statistics mgmtethernet mgmt2

================================================================================
                              Ipsec  Port  Stats
================================================================================
Ifindex              = 128
InSuccesses          = 0
InSPViolations       = 0
InNotEnoughMemories  = 0
InAHESPReplays       = 0
InESPReplays         = 0
InAHFailures         = 0
InESPFailures        = 0
OutSuccesses         = 0
OutSPViolations      = 0
OutNotEnoughMemories = 0
generalError         = 0

Variable Definitions

Use the data in the following table to use the show ipsec statistics command.

Variable

Value

{slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

loopback <1–256>

Identifies the loopback interface.

mgmtethernet < mgmt | mgmt2>

Note:

Exception: only supported on VSP 8600 Series.

Identifies the interface as the management interface.

system

Shows statistics for the entire system.

vlan <1-4059>

Specifies the VLAN.

Job Aid

The following table describes the fields in the output for the show ipsec statistics system command.

Parameter

Description

InSuccesses

Specifies the number of ingress packets IPsec successfully carries.

InSPViolations

Specifies the number of ingress packets IPsec discards since boot time because of a security policy violation.

InNotEnoughMemories

Specifies the number of ingress packets IPsec discards since boot time because not enough memory is available.

InAHESPReplays

Specifies the number of ingress packets IPsec discards since boot time because the encapsulating security payload (ESP) replay check fails.

InAHFailures

Specifies the number of ingress packets IPsec discards since boot time because the AH authentication check fails.

InESPFailures

Specifies the number of ingress packets IPsec discards since boot time because the ESP authentication check fails.

OutSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutSPViolations

Specifies the number of egress packets IPsec discards since boot time because a security policy violation occurs.

OutNotEnoughMemories

Specifies the number of egress packets IPsec discards since boot time because not enough memory is available since boot time.

generalError

Specifies a general error.

InAHSuccesses

Specifies the number of ingress packets IPsec carries because the AH authentication succeeds.

InESPSuccesses

Specifies the number of ingress packets IPsec carries since boot time because the ESP authentication succeeds.

OutAHSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutESPSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutKBytes

Specifies the total number of kilobytes on egress.

OutBytes

Specifies the total number of bytes on egress.

InKBytes

Specifies the total number of bytes on ingress.

InBytes

Specifies the total number of bytes on ingress.

TotalPacketsProcessed

Specifies the total number of packets processed.

TotalPacketsByPassed

Specifies the total number of packets bypassed.

OutAHFailures

Specifies the number of egress packets IPsec discards since boot time because the AH authentication check fails.

OutESPFailures

Specifies the number of egress packets IPsec discards since boot time because the ESP authentication check fails.

InMD5Hmacs

Specifies the number of inbound HMAC MD5 occurrences since boot time.

InSHA1Hmacs

Specifies the number of inbound HMAC SHA1 occurrences since boot time.

InAESXCBCs

Specifies the number of inbound AES XCBC MAC occurrences since boot time.

InAnyNullAuth

Specifies the number of inbound null authentication occurrences since boot time.

In3DESCBCs

Specifies the number of inbound 3DES CBC occurrences since boot time.

InAESCBCs

Specifies the number of inbound AES CBC occurrences since boot time.

InAESCTRs

Specifies the number of inbound AES CTR occurrences since boot time.

InAnyNullEncrypt

Specifies the number of inbound null occurrences since boot time. Used for debugging purposes.

OutMD5Hmacs

Specifies the number of outbound HMAC MD5 occurrences since boot time.

OutSHA1Hmacs

Specifies the number of outbound HMAC SHA1 occurrences since boot time.

OutAESXCBCs

Specifies the number of outbound AES XCBC MAC occurrences since boot time.

OutInAnyNullAuth

Specifies the number of outbound null authentication occurrences since boot time.

Out3DESCBCs

Specifies the number of outbound 3DES CBC occurrences since boot time.

OutAESCBCs

Specifies the number of outbound AES CBC occurrences since boot time.

OutAESCTRs

Specifies the number of outbound AES CTR occurrences since boot time.

OutInAnyNullEncrypt

Specifies the number of outbound null occurrences since boot time. Used for debugging purposes.

The following table describes the fields in the output for the show ipsec statistics gigabitethernet {slot/port[-slot/port][,...]} and show statistics loopback <1–256> commands.

Parameter

Description

Ifindex

Specifies the interface.

InSuccesses

Specifies the number of ingress packets IPsec successfully carries.

InSPViolations

Specifies the number of ingress packets IPsec discards since boot time because of a security policy violation.

InNotEnoughMemories

Specifies the number of ingress packets IPsec discards since boot time because not enough memory is available.

InAHESPReplays

Specifies the number of ingress packets IPsec discards since boot time because the encapsulating security payload (ESP) replay check fails.

InAHFailures

Specifies the number of ingress packets IPsec discards since boot time because the AH authentication check fails.

InESPFailures

Specifies the number of ingress packets IPsec discards since boot time because the ESP authentication check fails.

OutSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutSPViolations

Specifies the number of egress packets IPsec discards since boot time because a security policy violation occurs.

OutNotEnoughMemories

Specifies the number of egress packets IPsec discards since boot time because not enough memory is available since boot time.

generalError

Specifies a general error.

The following table describes the fields in the output for the show ipsec statistics vlan <1–4059> command.

Parameter

Description

Ifindex

Specifies the interface.

InSuccesses

Specifies the number of ingress packets IPsec successfully carries.

InSPViolations

Specifies the number of ingress packets IPsec discards since boot time because of a security policy violation.

InNotEnoughMemories

Specifies the number of ingress packets IPsec discards since boot time because not enough memory is available.

InAHESPReplays

Specifies the number of ingress packets IPsec discards since boot time because the encapsulating security payload (ESP) replay check fails.

InAHFailures

Specifies the number of ingress packets IPsec discards since boot time because the AH authentication check fails.

InESPFailures

Specifies the number of ingress packets IPsec discards since boot time because the ESP authentication check fails.

OutSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutSPViolations

Specifies the number of egress packets IPsec discards since boot time because a security policy violation occurs.

OutNotEnoughMemories

Specifies the number of egress packets IPsec discards since boot time because not enough memory is available since boot time.

generalError

Specifies a general error.

The following table describes the fields in the output for the show ipsec statistics mgmtethernet command.

Note

Note

This command only applies to VSP 8600 Series.

Parameter

Description

Ifindex

Specifies the interface.

InSuccesses

Specifies the number of ingress packets IPsec successfully carries.

InSPViolations

Specifies the number of ingress packets IPsec discards since boot time because of a security policy violation.

InNotEnoughMemories

Specifies the number of ingress packets IPsec discards since boot time because not enough memory is available.

InAHESPReplays

Specifies the number of ingress packets IPsec discards since boot time because the AH replay check fails.

InESPReplays

Specifies the total number of ingress packets IPsec discards since boot time because the encapsulating security payload (ESP) replay check fails.

InAHFailures

Specifies the number of ingress packets IPsec discards since boot time because the AH authentication check fails.

InESPFailures

Specifies the number of ingress packets IPsec discards since boot time because the ESP authentication check fails.

OutSuccesses

Specifies the number of egress packets IPsec successfully carries since boot time.

OutSPViolations

Specifies the number of egress packets IPsec discards since boot time because a security policy violation occurs.

OutNotEnoughMemories

Specifies the number of egress packets IPsec discards since boot time because not enough memory is available since boot time.

generalError

Specifies a general error.