41.4. IPSEC and IKE diagnostics and statistics

41.4.1. IPSEC diagnostics

To display the diagnostics of the IPSEC resource the following commands are used:

d d ipsec / d de ipsec

Shows the IPSEC resource diagnostics (the state of the resource, the working mode, the inbound policy check flag, the inbound security policies, etc.) and the IPSEC Security Associations diagnostics (the number of bundle of Security Association record, the state of Security Association record, etc.).

[11:42:10] ABILIS_CPX:d d ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol
       STATE:ACTIVE         MODE:IKE         IN-CHK:YES
       POLICY-IN :1         SA-IN :1         SA-BND-IN :1
       POLICY-OUT:1         SA-OUT:1         SA-BND-OUT:1
       - Security Associations diagnostics: -----------------------------------
       SA  Bundle State   SPI      SrcIp           Auth     SoftTime
           Prot   Tunnel           DstIp           Cipher   HardTime
       ------------------------------------------------------------------------
       0   0      MATURE  C4DCB36E 192.168.006.002 MD5      INFINITE
           ESP    YES              192.168.006.001 3DES     INFINITE
       ------------------------------------------------------------------------
       1   1      MATURE  1969FC22 192.168.006.001 MD5      INFINITE
           ESP    YES              192.168.006.002 3DES     INFINITE
       ------------------------------------------------------------------------

41.4.2. Statistics of the IPSEC resource

To display the statistics of the IPSEC resource the following commands are used:

d s ipsec

Shows the IPSEC resource statistics such as the total number of IP frames received/sent by IPSEC resource from/to the IP, the total number of characters received/sent by the IPSEC port from/to the IP, the total number of bypassed incoming/outgoing IKE packets, etc.

d se ipsec

Shows the IPSEC resource statistics and the IPsec Security Associations statistics (the total number of incoming/outgoing characters processed by Security Association, the total number of incoming/outgoing IP frames processed by Security Association, etc.).

[11:42:10] ABILIS_CPX:d s ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 2 days 19:33:50 ago, on 05/06/2015 at 14:04:00 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |     262693|     264196|CHR        |   10964752|   14449533|
       FRM-OK     |          0|          0|CHR-OK     |          0|          0|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |     262693|     264196|CHR-BYPASS |   10964752|   14449533|
       ------------------------------------------------------------------------
       FRM-IKE    |          0|          0|NATT-KA    |          0|          0|
       NO-POLICY  |          0|     264196|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------
[11:42:10] ABILIS_CPX:d se ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 2 days 19:33:50 ago, on 05/06/2015 at 14:04:00 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |     262693|     264196|CHR        |   10964752|   14449533|
       FRM-OK     |          0|          0|CHR-OK     |          0|          0|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |     262693|     264196|CHR-BYPASS |   10964752|   14449533|
       ------------------------------------------------------------------------
       FRM-IKE    |          0|          0|NATT-KA    |          0|          0|
       NO-POLICY  |          0|     264196|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------
       - Security Associations statistics: ------------------------------------
       SA:3      CHR:0           AUTH-FAIL:0            BAD-CBLK:0
                 FRM:0           REPLAY-CHK:0           BAD-ECN:0
       ------------------------------------------------------------------------
       SA:2      CHR:560         AUTH-FAIL:0            BAD-CBLK:0
                 FRM:2           REPLAY-CHK:0           BAD-ECN:0
       ------------------------------------------------------------------------

41.4.3. IKE diagnostics

To display the diagnostics of the IKE resource the following commands are used:

d d ike / d de ike

Shows diagnostic information such as the current state of the IKE resource and the IPSEC resource, the current number of ISAKMP and IPSEC Security Associations, the local and remote IP address-port, etc.

[11:42:10] ABILIS_CPX:d d ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol
       IKE-STATE:ACTIVE      IPSEC-STATE:ACTIVE
       CUR-MAX-HOSTS:16   CUR-HOSTS:2
       ISAKMP-SA:0    ISAKMP-SA-EST:0    IPSEC-SA:0    IPSEC-SA-EST:0
       - Security Associations diagnostics: -----------------------------------
       SerialNo   Name                                     Type     Side
                  LocIp-LocPort         LocNet/LocMask     State    ReplaceTime
                  RemIp-RemPort         RemNet/RemMask     Pending  ExpiryTime
       ------------------------------------------------------------------------
       1                                                   IPsec    RESPONDER
                  192.168.006.001/500   192.168.006.001/32 QUICK-R2 3422
                  192.168.006.002/500   192.168.006.002/32 0        3542
       ------------------------------------------------------------------------
       2                                                   ISAKMP   RESPONDER
                  192.168.006.001/500   000.000.000.000/00 MAIN-R3  3420
                  192.168.006.002/500   000.000.000.000/00 0        3540
       ------------------------------------------------------------------------

41.4.4. Statistics of the IKE resource

To display the statistics of the IKE resource the following commands are used:

d s ike / d se ike

Shows statistic information such as the total number of characters received/sent by IKE resource from/to UDP, the total number of UDP datagrams received/sent by IKE port from/to UDP, the total number of lost incoming UDP datagrams because buffer is full, etc.

[11:42:10] ABILIS_CPX:d se ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol                                         
       --- Cleared 2 days 19:35:56 ago, on 05/06/2015 at 14:04:00 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CHR        |          0|          0|LONG       |          0|          0|
       FRM        |          0|          0|BAD-FMT    |          0|           |
       FRM-LOST   |          0|           |DUPLICATED |          0|           |
       ------------------------------------------------------------------------
       -----------|--ISAKMP---|---IPSEC---|
       SA-R       |          0|          0|
       SA-I       |          0|          0|
       SA-EST-R   |          0|          0|
       SA-EST-I   |          0|          0|
       AUTH-FAIL  |          0|          0|
       NO-PROP    |          0|          0|
       ------------------------------------------------------------------------