Syntax SHow IPSec POLIcy[=name] COUnter
Description This command displays the counters for IPsec policies (Figure 49-18, Table 49-14).
The policy parameter specifies the name of an existing policy. When name is specified, counters for the specified policy are displayed. The policy name must already exist. Name is a string 1 to 23 characters long. Valid characters are any printable character. If name contains spaces, it must be in double quotes.
When name is not specified, counters for all policies are displayed.
Figure 49-18: Example output from the show ipsec policy counter command
Setup/Remove Counters:
Table 49-14: Parameters in output of the show ipsec policy counter command
Parameter Meaning
Setup/Remove Counters Counters for creating and destroying SA bundles.
setupStarted Number of attempts to set up an SA bundle.
setupSaSetupStarted Number of attempts to set up an SA.
setupDone Number of successful attempts to set up an SA bundle.
removeStarted Number of attempts to remove an SA bundle.
removeDone Number of SA bundles completed removed.
IP Security (IPsec) show ipsec policy counter 49-141
setupSaSetupFailImm Number of attempts to set up an SA that failed immediately.
setupSaSetupFailed Number of failed attempts to set up an SA.
setupFailed Number of failed attempts to set up an SA bundle.
removeSaSetupStarted Number of attempts to remove an SA.
Outbound Packet Processing Counters
Counters for processing outbound SA bundles.
outDeny Number of outbound packets that matched an IPsec policy with deny action.
outNoBundle Number of outbound packets that matched an IPsec policy with no bundles.
outMakeSetupStrctFail Number of attempts to setup an SA bundle for an outbound packet that failed because the setup structure failed.
outBundleSoftExpire Number of times an outbound packet caused the soft expiry kilobyte limit of an SA bundle to be reached.
outProcessStart Number of times IPsec processing started on an outbound packet.
outBundleStateBad Number of outbound packets that matched an IPsec policy with no valid bundles.
outProcessDone Number of times IPsec processing finished successfully on an outbound packet.
outNoBundleSqos Number of outbound packets discarded because the bundle was not found after SQoS processed the packet, and IPsec was unable to process the packet using another bundle.
This can indicate that IPsec has removed a bundle suddenly, such as when the bundle reaches its expirykbytes limit.
outPermit Number of outbound packets that matched an IPsec policy with PERMIT action.
outNoBundleFail Number of outbound packets failed by IPsec because they matched an IPsec policy with no bundles.
outSetupBundleFail Number of failed attempts to setup an SA bundle for an outbound packet.
outBundleExpire Number of times an outbound packet caused the expiry kilobyte limit of an SA bundle to be reached.
outProcessFailImm Number of times IPsec processing failed immediately on an outbound packet.
outProcessFail Number of times IPsec processing failed on an outbound packet.
outBundleNotFound Number of outbound packets where the bundle was not found after SQoS processed the packet. This can indicate that IPsec has removed a bundle suddenly, such as when the bundle reaches its expirykbytes limit.
Inbound Packet Processing Counters
Counters for processing inbound SA bundles.
Table 49-14: Parameters in output of the show ipsec policy counter command(cont)
Parameter Meaning
49-142 show ipsec policy counter AlliedWare OS Software Reference
Examples To display the counters for a policy with the name "my_vpn", use the command:
show ipsec policy="my_vpn" counter
inCompUncompressed Number of uncompressed inbound packet seen on an IPComp SA.
inBundleStateBad Number of inbound packets that matched an IPsec policy with no valid bundles.
inProcessStart Number of times IPsec processing started on an inbound packet.
inProcessFail Number of times IPsec processing failed on an inbound packet.
inEndOfBundle Number of inbound packets the SA bundle did not completely process.
inBundleSaMatchFail Number of inbound packets that did not match an SA in the chosen SA bundle.
inPolSelectMatchFail Number of inbound packets that did not match the selectors of the IPsec policy by which it was processed.
inBundleSoftExpire Number of times an inbound packet caused the soft expiry kilobyte limit of an SA bundle to be reached.
inBadDecryptedPkt Number of times a decrypted inbound packet had an invalid IP version, i.e. neither IPv4 nor IPv6. This indicates that the packet was not decrypted correctly.
inPermit Number of inbound packets that matched an IPsec policy with PERMIT action.
inActionIpsecFail Number of plaintext inbound packets that matched an IPsec policy with IPSEC action.
inNotFirstSaInBundle Number of inbound packets that matched an SA that was not the first SA in a bundle.
inProcessFailImm Number of times IPsec processing failed immediately on an inbound packet.
inProcessDone Number of times IPsec processing finished successfully on an inbound packet.
inPrematureEndBundle Number of inbound packets completely processed before all the SAs in the chosen SA bundle were used.
inPolicyActionFail Number of inbound IPsec packets seen that did not match an IPsec policy.
inBundleReplaced Number of inbound packets that removed an obsolete SA bundle.
inBundleExpire Number of times an inbound packet caused the soft expiry kilobyte limit of an SA bundle to be reached.
inBadSpiResponse Number of bad SPI requests generated. These occur when an IPsec policy has the parameter respondbadspi set to true and packets processed by that policy have an unknown SPI value.
Table 49-14: Parameters in output of the show ipsec policy counter command(cont)
Parameter Meaning
IP Security (IPsec) show ipsec policy counter 49-143
Related Commands create ipsec policy reset ipsec policy counter destroy ipsec policy set ipsec policy
49-144 show ipsec policy sabundle AlliedWare OS Software Reference