Knowledge Search


×
 

[SRX] SNMP OID used to check IPsec tunnel traffic statistics

  [KB32676] Show Article Properties


Summary:

While using Simple Network Management Protocol (SNMP) monitoring tools, SRX devices are queried by using OIDs to obtain information, including that related to traffic passing through a particular IPsec tunnel.

This article explains the OID that is necessary to fetch IPsec tunnel traffic statistics.

 

Solution:

Multiple MIBs may be used to obtain VPN-related values.

root> show security ipsec statistics                
ESP Statistics:
  Encrypted bytes:              136
  Decrypted bytes:              168
  Encrypted packets:              1
  Decrypted packets:              2
 

OID 1.3.6.1.4.1.2636.3.39.1.1.1.1.1.1.3, which is a part of the Juniper enterprise MIB mib-jnx-js-if-ext.txt, may be used to obtain the inbound statistics of the ingress VPN packets that are arriving on a particular interface.

root> show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.1.1.1.1.1.3
jnxJsIfMonInVpn.16 = 0
jnxJsIfMonInVpn.21 = 0
jnxJsIfMonInVpn.22 = 0
jnxJsIfMonInVpn.503 = 0
jnxJsIfMonInVpn.526 = 2

root> show interfaces ge-0/0/0.0 extensive                      
  Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 526) (Generation 147)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                 1890
     Output bytes  :                 1122
     Input  packets:                   12
     Output packets:                    7
    Local statistics:
     Input  bytes  :                  348
     Output bytes  :                  364
     Input  packets:                    5
     Output packets:                    6
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: untrust
    Allowed host-inbound traffic : ike
    Flow Statistics :  
    Flow Input statistics :             
      Self packets :                     7
      ICMP packets :                     0
      VPN packets :                      2
      Multicast packets :                0
      Bytes permitted by policy :        1312
      Connections established :          1
 

OID 1.3.6.1.4.1.2636.3.52.1, which is a part of the Juniper enterprise MIB mib-jnx-ipsec-flow-mon.txt, may be used to obtain various VPN-related details, including Decrypted (1.3.6.1.4.1.2636.3.52.1.2.2.1.13) and Encrypted (1.3.6.1.4.1.2636.3.52.1.2.2.1.11) packets on a per VPN tunnel basis.

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.13      
jnxIpSecTunMonInDecryptedPkts.1.4.10.0.0.1.131073 = 2
jnxIpSecTunMonInDecryptedPkts.1.4.11.0.0.1.131074 = 0

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.11      
jnxIpSecTunMonOutEncryptedPkts.1.4.10.0.0.1.131073 = 1
jnxIpSecTunMonOutEncryptedPkts.1.4.11.0.0.1.131074 = 0
 

Note: Values are listed per VPN based on the IPsec Tunnel Index, which may be located by using the following methods:

  • For all Junos OS versions run by SRX

root> show security ipsec security-associations

  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 8a3ec934 3316/ unlim   -   root 500   192.168.0.1        
  >131073 ESP:3des/sha1 9024d3f4 3316/ unlim   -   root 500   192.168.0.1        
  <131074 ESP:3des/sha1 ca6f5ffd 3316/ unlim   -   root 500   192.168.1.1        
  >131074 ESP:3des/sha1 d0a78d87 3316/ unlim   -   root 500   192.168.1.1
  • For devices that run Junos OS 15.1X49-D130 or later

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.27

  jnxIpSecTunMonVpnName.1.4.192.168.0.1.131073 = vpn1
  jnxIpSecTunMonVpnName.1.4.192.168.1.1.131074 = vpn2

 

Related Links: