IP Security Monitor statistics

IKE Statistics

The following table describes the items in the list of IKE statistics in the IP Security Monitor snap-in.

IKE StatisticDescription

Active Acquire

An acquire is a request by the IPSec driver to have IKE perform a task. The active acquire statistic includes the outstanding request and the number of any queued requests. Typically, the number of active acquires is 1. Under a heavy load, the number of active acquires is 1 and the number of requests that are queued by IKE for processing.

Active Receive

The number of IKE messages received that are queued for processing.

Acquire Failures

The number of times that an acquire has failed.

Receive Failures

The number of times that the Windows Sockets WSARecvFrom() function has failed when receiving IKE messages.

Send Failures

The number of times that the Windows Sockets WSASendTo() function has failed when sending IKE messages.

Acquire Heap Size

The number of entries in the acquire heap, which stores active acquires. This number increases under a heavy load and then gradually decreases over time, as the acquire heap is cleared.

Receive Heap Size

The number of entries in the IKE receive buffers for incoming IKE messages.

Negotiation Failures

The total number of negotiation failures that occurred during main mode (also known as Phase I) or quick mode (also known as Phase II) negotiation. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Negotiation Failures increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings.

Authentication Failures

The total number of identity authentication failures (Kerberos, certificate, and preshared key) that occurred during main mode negotiation. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Authentication Failures increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match).

Invalid Cookies Received

A cookie is a value contained in a received IKE message that is used by IKE to find the state of an active main mode. A cookie in a received IKE message that cannot be matched with an active main mode is invalid.

Total Acquire

The total number of work requests submitted by IKE to the IPSec driver.

Total Get SPI

The total number of requests submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI).

Key Additions

The number of outbound quick mode security associations (SAs) added by IKE to the IPSec driver.

Key Updates

The number of inbound quick mode SAs added by IKE to the IPSec driver.

Get SPI Failures

The number of requests submitted by IKE to the IPSec driver to obtain a unique SPI that failed.

Key Addition Failures

The number of outbound quick mode SA addition requests submitted by IKE to the IPSec driver that failed.

Key Update Failures

The number of inbound quick mode SA addition requests submitted by IKE to the IPSec driver that failed.

ISADB List Size

The number of main mode state entries, including negotiated main modes, main modes in progress, and main modes that failed and have not been deleted.

Connection List Size

The number of quick mode state entries.

Oakley Main Mode

The total number of successful SAs created during main mode negotiations.

Oakley Quick Mode

The total number of successful SAs created during quick mode negotiations. Because there are typically multiple quick mode SAs created for each main mode SA, this number does not necessarily match the main mode number.

Invalid Packets Received

The number of received IKE messages that are invalid, including IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie (when it should be set to 0). Invalid IKE messages are commonly caused by stale retransmitted IKE messages or an unmatched preshared key between the IPSec peers.

Soft Associations

The total number of negotiations that resulted in the use of plaintext (also known as soft SAs). This typically reflects the number of associations formed with computers that did not respond to main mode negotiation attempts. This can include both non-IPSec-aware computers and IPSec-aware computers that do not have IPSec policy to negotiate security with this IPSec peer. Although soft SAs are not the result of main mode and quick mode negotiations, they are still treated as quick mode SAs.

IPSec Statistics

The following table describes the items in the list of IPSec statistics in the IP Security Monitor snap-in.

IPSec StatisticDescription

Active Security Associations

The number of active IPSec SAs.

Offloaded Security Associations

The number of active IPSec SAs offloaded to hardware.

Pending Key Operations

The number of IPSec key operations in progress.

Key Additions

The total number of successful IPSec SA negotiations.

Key Deletions

The number of key deletions for IPSec SAs.

Re-Keys

The number of rekey operations for IPSec SAs.

Active Tunnels

The number of active IPSec tunnels.

Bad SPI Packets

The total number of packets for which the Security Parameters Index (SPI) was incorrect. The SPI is used to match inbound packets with SAs. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. Since SAs expire under normal conditions, a bad SPI packet does not necessarily mean that IP security is failing.

Packets Not Decrypted

The total number of packets that failed decryption. This failure might indicate that a packet arrived for which the SA had expired. If the SA expires, the session key used to decrypt the packet is also deleted. This does not necessarily indicate that IP security is failing.

Packets Not Authenticated

The total number of packets for which data could not be verified. This failure is most likely caused by an expired SA.

Packets With Replay Detection

The total number of packets that contained a valid Sequence Number field.

Confidential Bytes Sent

The total number of bytes sent using the ESP protocol.

Confidential Bytes Received

The total number of bytes received using the ESP protocol.

Authenticated Bytes Sent

The total number of bytes sent using the AH protocol.

Authenticated Bytes Received

The total number of bytes received using the AH protocol.

Transport Bytes Sent

The total number of bytes sent using IPSec transport mode.

Transport Bytes Received

The total number of bytes received using IPSec transport mode.

Bytes Sent in Tunnels

The total number of bytes sent using IPSec tunnel mode.

Bytes Received in Tunnels

The total number of bytes received using IPSec tunnel mode.

Offloaded Bytes Sent

The total number of bytes sent using hardware offload.

Offloaded Bytes Received

The total number of bytes received using hardware offload.



© 2016 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies