beautypg.com

Allied Telesis RAPIER I User Manual

Page 182

background image

182

Enhancements to IPsec/VPN

Release Note

Software Version 2.8.1
C613-10477-00 REV B

Figure 59: Example output from the show isakmp counter=spd command

Table 49: Modified parameters in output of the show isakmp counter=general
command

Parameter

Meaning

badSpiRequests

The number of bad SPI requests that IPsec generated and
sent to ISAKMP. These occur when an IPsec policy has the
parameter respondbadspi set to true and packets
processed by that policy have an unknown SPI value. If
ISAKMP accepts the request, it establishes a new ISAKMP
SA to the sending peer, then sends an initial contact
notification message.

badSpiFromKnownPeer

The number of bad SPI response requests rejected because
an ISAKMP SA for the sending peer already existed. This
ensures that an established tunnel is not destroyed.

badSpiInAggrMode

The number of bad SPI requests rejected because the
ISAKMP policy is configured to use aggressive mode for
phase 1 exchanges. Bad SPI requests can only generate
notification messages when the policy specifies main mode
for phase 1 exchanges.

badSpiSendNotifyUnset

The number of bad SPI requests rejected because the
ISAKMP policy was not configured to send notification
messages.

retryIkeAttemptsPh1

The number of phase 1 exchanges initiated due to an
exchange failing. These exchanges are only initiated for
policies configured with retryikeattempts.

retryIkeAttemptsPh2

The number of phase 2 exchanges initiated due to an
exchange failing. These exchanges are only initiated for
policies configured with retryikeattempts.

ISAKMP Policy Counters

getPolicyGood 0 getPolicyFailed 1

deletePolicyGood 0 deletePolicyFailed 0

addPolicyGood 0 addPolicyFailed 0

getPolicyByPeerGood 0 getPolicyByPeerFailed 0

usePolIkeRetryGood 0 usePolIkeRetryFailed 0

Table 50: Modified parameters in output of the show isakmp counter=spd command

Parameter

Meaning

usePolIkeRetryGood

The number of times IKE exchange retry was used by a
policy to retry a failed IKE exchange.

UsePolIkeRetryFailed

The number of times IKE exchange retry could not be used
for a policy, because the policy had exceeded its retry limits.
The retry limits are set using the retryikeattempts
parameter.

This manual is related to the following products:
See also other documents in the category Allied Telesis Computer Accessories: