This chapter discusses the statistics used to monitor the VPN activity on the BANDIT products.

Transcription

1 encor! enetworks TM Version A.1, January Encore Networks, Inc. All rights reserved. VPN s This chapter discusses the statistics used to monitor the VPN activity on the BANDIT products. 1 On the Main Menu, select s. The s menu is displayed. 2 On the s menu, select VPN s. The IPsec statistics are displayed. The screen displays the Global IKE Counters and the Global IPSec Counters Global IKE Counters = 5 = 4 = 0tx_errors = 0 Global IPSec Counters = 4 = 4 = 0tx_errors = 0 rx_sw_errs = 0tx_sw_errs = 0 rx_inv_proto = 0tx_inv_proto = 0 rx_esp_inv_len = 0tx_tdb_errs = 0 rx_ah_inv_len = 0tx_no_tunnel = 0 rx_unknown_sa = 0tx_tunnel_inits = 0 rx_auth_fails = 0 Number of Tunnels UP = 1 Press 'R'-Refresh,'C'-Clear,'Z'-Clear All,'ESC'-Exit, Any other-next Page 3 After you have reviewed these statistics, press Enter. The screen displays the Tunnel Connection s. Note: If no tunnel is up, no Tunnel Connection s appear. Note: If the tunnel is being established but has not yet been fully established, you will see information similar to the following. For information on trademarks, safety, limitations of liability, and similar topics, see Notices. Home Module: s Document 13

2 Page 2 s, Document 13 Tunnel Connection s: "Remote": /24=== [bandit] === /24 Phase1 State: STATE_AGGR_I1 (sent AI1, expecting AR1) Phase2 State: N/A (Still in Phase1 or in Transition) Last Rx Notification: IKE Counters: = 0 tx_packtes = 3 = 0 tx_errors = 0 Press 'R'to refresh, 'C' to Clear 'ESC' to exit, Any other to Continue... Note: When the tunnel has been fully established and is passing information (even if only pings), you will see information similar to the following. Tunnel Connection s: profile 1 : /24=== === /24 Phase1 State: STATE_MAIN_R3 (sent MR3, ISAKMP SA established) Phase2 State: STATE_QUICK_R2 (IPsec SA established) IPSec SA: esp.97018df7@ esp.2aa8237e@ IPSec Counters: = 4tx_packtes = 4 = 0tx_errors = 0 rx_alg_errs = 0tx_alg_errs = 0 rx_encsize_errs = 0tx_encsize_errs = 0 rx_encpad_errs = 0tx_encpad_errs = 0 rx_replay_errs = 0tx_replay_errs = 0 IKE Counters: = 4tx_packtes = 4 = 0tx_errors = 0 Press R to refresh, C to Clear ESC to exit, Any other to Continue... 4 After you have reviewed the Tunnel Connection s, do one of the following: a If you wish to refresh the statistics, press r. The system re-displays the Tunnel Connection s, with updated values. Repeat Step 4. b If you wish to reset this page s statistical counters to 0 (zero), press c. The counters for the statistics on this page reset. The system displays the Tunnel Connection s, with values accumulated since the reset. Repeat Step 4. c If you have finished reviewing VPN statistics, press Escape. The s menu is displayed.

3 VPN s Page 3 d If you wish to continue viewing VPN statistics, press any other key. The system displays the Global IKE Counters and the Global IPSec Counters, with updated values. Return to Step 3. Table VPN s (Sheet 1 of 4) Global IKE Counters with errors

4 Page 4 s, Document 13 Table VPN s (Sheet 2 of 4) Global IPSec Counters rx_sw_errs rx_inv_proto rx_esp_inv_len rx_ah_inv_len rx_unknown_sa rx_auth_fails with errors with no data, no authentication, or failed authentication with invalid protocol (neither AH nor ESP) with invalid ESP length with invalid AH length with unknown security association with failed authentication tx_sw_errs tx_inv_proto tx_tdb_errs tx_no_tunnel tx_tunnel_inits Number of tunnels UP Number of Transmit packets found with no data, no authentication, or failed authentication 1 Number of Transmit packets found with invalid protocol (neither AH nor ESP) 1 Number of Transmit packets found with unsupported or invalid authentication or encapsulation algorithm (i.e., not one of the acceptable values: AH_MD5, AH_SHA, ESP_DES, or ESP_3DES) 1 Number of Transmit packets attempted when no connection was available Number of connection initiations (based on Phase 1 state of connection) Number of tunnels that have been successfully negotiated and established

5 VPN s Page 5 Table VPN s (Sheet 3 of 4) Tunnel Connection s profile name Phase1 State Phase2 State IPSec SA The profile (including IP addresses) used to establish the VPN connection The state of Phase 1 of the VPN tunnel The state of Phase 2 of the VPN tunnel Details of the IPsec security association [Tunnel] IPSec Counters rx_alg_errs rx_encsize_errs rx_encpad_errs with errors with invalid algorithm descriptor (neither ESP_3DES nor ESP_DES) with invalid encapsulation size Number of ESP packets received with invalid encapsulation padding (i.e., not on octet boundary; packet dropped) rx_replay_errs with replay errors 2 tx_alg_errs tx_encsize_errs tx_encpad_errs Number of Transmit packets found with invalid algorithm descriptor (neither ESP_3DES nor ESP_DES) 1 Number of Transmit packets found with invalid encapsulation size 1 Number of Transmit ESP packets found with invalid encapsulation padding (i.e., not on octet boundary; packet dropped) 1 tx_replay_errs Number of Transmit packets found with replay errors 1,2

6 Page 6 s, Document 13 Table VPN s (Sheet 4 of 4) [Tunnel] IKE Counters with errors 1. The BANDIT does not send packets found to contain errors. Packets with errors are dropped. 2. This feature is not currently used.