The following table describes the items in the list of main mode (IKE) statistics in IP Security Monitor.
|
Main Mode (IKE) Statistic
|
Description
|
|---|
Active Acquire | The number of pending requests to initiate an Internet Key Exchange (IKE) negotiation in order to establish a security association (SA) between IPSec peers. The Active Acquire statistic includes the outstanding request and the number of any queued requests. Under a heavy load, the number of active acquires is 1 plus the number of requests that are queued by IKE for processing. |
Active Receive | The number of IKE messages received that are queued for processing. |
Acquire Failures | The total number of acquire outbound requests that have failed since the IPSec service was last started. Acquires are requests to establish SAs between IPSec peers. |
Receive Failures | The total number of errors that have occurred during the process of receiving IKE messages since the IPSec service was last started. |
Send Failures | The total number of errors that have occurred during the process of sending IKE messages since the IPSec service was last started. The number of Send Failures typically increases for computers that establish SAs over temporary network connections, such as dial-up connections, virtual private network tunnels, and wireless connections. |
Acquire Heap Size | The number of entries in the acquire heap. The acquire heap stores successful acquires. Acquires are outbound requests to establish SAs between IPSec peers. |
Receive Heap Size | The number of entries in the IKE receive buffers. The receive buffers store incoming IKE messages. |
Authentication Failures | The total number of identity authentication (Kerberos, certificate, and preshared key) failures that have occurred during main mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Authentication Failures increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match). |
Negotiation Failures | The total number of negotiation failures that have occurred during main mode or quick mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Negotiation Failures increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings. |
Invalid Cookies Received | The total number of cookies that could not be matched with an active main mode SA since the IPSec service was last started. A cookie is a value contained in a received IKE message that is used to help identify the corresponding main mode SA. |
Total Acquire | The total number of requests that have been submitted to IKE since the IPSec service was last started to establish an SA. This number includes acquires that result in soft SAs. |
Total Get SPI | The total number of requests that have been submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI) since the IPSec service was last started. The SPI matches inbound packets with SAs. |
Key Additions | The total number of outbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started. |
Key Updates | The total number of inbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started. |
Get SPI Failures | The total number of failed requests that have been submitted by IKE to the IPSec driver to obtain a unique SPI since the IPSec service was last started. |
Key Addition Failures | The total number of failed outbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started. |
Key Update Failures | The total number of failed inbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started. |
ISADB List Size | The number of main mode state entries. This number includes successfully negotiated main modes, main mode negotiations in progress, and main mode negotiations that failed or expired and have not yet been deleted. |
Connection List Size | The number of quick mode negotiations that are in progress. |
IKE Main Mode | The total number of successful SAs that have been created during main mode negotiations since the IPSec service was last started. |
IKE Quick Mode | The total number of successful SAs that have been created during quick mode negotiations since the IPSec service was last started. |
Soft Associations | The total number of SAs formed with computers that have not responded to main mode negotiation attempts since the IPSec service was last started. Although these computers did not respond to main mode negotiation attempts, IPSec policy allowed communications with the computers. Soft SAs are not secured by IPSec. |
Invalid Packets Received | The total number of invalid IKE messages that have been received since the IPSec service was last started. This number includes IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie. Invalid IKE messages are commonly caused by retransmitted IKE messages or an unmatched preshared key between the IPSec peers. |