IP Security Monitor statistics
IKE Statistics
The following table describes the items in the list of IKE statistics in the IP Security Monitor snap-in.
| IKE Statistic | Description |
Active Acquire | An acquire is a request by the IPSec driver to have IKE perform a task. The active acquire statistic includes the outstanding request and the number of any queued requests. Typically, the number of active acquires is 1. Under a heavy load, the number of active acquires is 1 and the number of requests that are queued by IKE for processing. |
Active Receive | The number of IKE messages received that are queued for processing. |
Acquire Failures | The number of times that an acquire has failed. |
Receive Failures | The number of times that the Windows Sockets WSARecvFrom() function has failed when receiving IKE messages. |
Send Failures | The number of times that the Windows Sockets WSASendTo() function has failed when sending IKE messages. |
Acquire Heap Size | The number of entries in the acquire heap, which stores active acquires. This number increases under a heavy load and then gradually decreases over time, as the acquire heap is cleared. |
Receive Heap Size | The number of entries in the IKE receive buffers for incoming IKE messages. |
Negotiation Failures | The total number of negotiation failures that occurred during main mode (also known as Phase I) or quick mode (also known as Phase II) negotiation. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Negotiation Failures increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings. |
Authentication Failures | The total number of identity authentication failures (Kerberos, certificate, and preshared key) that occurred during main mode negotiation. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Authentication Failures increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match). |
Invalid Cookies Received | A cookie is a value contained in a received IKE message that is used by IKE to find the state of an active main mode. A cookie in a received IKE message that cannot be matched with an active main mode is invalid. |
Total Acquire | The total number of work requests submitted by IKE to the IPSec driver. |
Total Get SPI | The total number of requests submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI). |
Key Additions | The number of outbound quick mode security associations (SAs) added by IKE to the IPSec driver. |
Key Updates | The number of inbound quick mode SAs added by IKE to the IPSec driver. |
Get SPI Failures | The number of requests submitted by IKE to the IPSec driver to obtain a unique SPI that failed. |
Key Addition Failures | The number of outbound quick mode SA addition requests submitted by IKE to the IPSec driver that failed. |
Key Update Failures | The number of inbound quick mode SA addition requests submitted by IKE to the IPSec driver that failed. |
ISADB List Size | The number of main mode state entries, including negotiated main modes, main modes in progress, and main modes that failed and have not been deleted. |
Connection List Size | The number of quick mode state entries. |
Oakley Main Mode | The total number of successful SAs created during main mode negotiations. |
Oakley Quick Mode | The total number of successful SAs created during quick mode negotiations. Because there are typically multiple quick mode SAs created for each main mode SA, this number does not necessarily match the main mode number. |
Invalid Packets Received | The number of received IKE messages that are invalid, including IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie (when it should be set to 0). Invalid IKE messages are commonly caused by stale retransmitted IKE messages or an unmatched preshared key between the IPSec peers. |
Soft Associations | The total number of negotiations that resulted in the use of plaintext (also known as soft SAs). This typically reflects the number of associations formed with computers that did not respond to main mode negotiation attempts. This can include both non-IPSec-aware computers and IPSec-aware computers that do not have IPSec policy to negotiate security with this IPSec peer. Although soft SAs are not the result of main mode and quick mode negotiations, they are still treated as quick mode SAs. |
IPSec Statistics
The following table describes the items in the list of IPSec statistics in the IP Security Monitor snap-in.
| IPSec Statistic | Description |
Active Security Associations | The number of active IPSec SAs. |
Offloaded Security Associations | The number of active IPSec SAs offloaded to hardware. |
Pending Key Operations | The number of IPSec key operations in progress. |
Key Additions | The total number of successful IPSec SA negotiations. |
Key Deletions | The number of key deletions for IPSec SAs. |
Re-Keys | The number of rekey operations for IPSec SAs. |
Active Tunnels | The number of active IPSec tunnels. |
Bad SPI Packets | The total number of packets for which the Security Parameters Index (SPI) was incorrect. The SPI is used to match inbound packets with SAs. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. Since SAs expire under normal conditions, a bad SPI packet does not necessarily mean that IP security is failing. |
Packets Not Decrypted | The total number of packets that failed decryption. This failure might indicate that a packet arrived for which the SA had expired. If the SA expires, the session key used to decrypt the packet is also deleted. This does not necessarily indicate that IP security is failing. |
Packets Not Authenticated | The total number of packets for which data could not be verified. This failure is most likely caused by an expired SA. |
Packets With Replay Detection | The total number of packets that contained a valid Sequence Number field. |
Confidential Bytes Sent | The total number of bytes sent using the ESP protocol. |
Confidential Bytes Received | The total number of bytes received using the ESP protocol. |
Authenticated Bytes Sent | The total number of bytes sent using the AH protocol. |
Authenticated Bytes Received | The total number of bytes received using the AH protocol. |
Transport Bytes Sent | The total number of bytes sent using IPSec transport mode. |
Transport Bytes Received | The total number of bytes received using IPSec transport mode. |
Bytes Sent in Tunnels | The total number of bytes sent using IPSec tunnel mode. |
Bytes Received in Tunnels | The total number of bytes received using IPSec tunnel mode. |
Offloaded Bytes Sent | The total number of bytes sent using hardware offload. |
Offloaded Bytes Received | The total number of bytes received using hardware offload. |