Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] SNMP OID used to check IPsec tunnel traffic statistics

0

0

Article ID: KB32676 KB Last Updated: 17 Sep 2018Version: 1.0
Summary:

While using Simple Network Management Protocol (SNMP) monitoring tools, SRX devices are queried by using OIDs to obtain information, including that related to traffic passing through a particular IPsec tunnel.

This article explains the OID that is necessary to fetch IPsec tunnel traffic statistics.

 

Solution:

Multiple MIBs may be used to obtain VPN-related values.

root> show security ipsec statistics                
ESP Statistics:
  Encrypted bytes:              136
  Decrypted bytes:              168
  Encrypted packets:              1
  Decrypted packets:              2
 

OID 1.3.6.1.4.1.2636.3.39.1.1.1.1.1.1.3, which is a part of the Juniper enterprise MIB mib-jnx-js-if-ext.txt, may be used to obtain the inbound statistics of the ingress VPN packets that are arriving on a particular interface.

root> show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.1.1.1.1.1.3
jnxJsIfMonInVpn.16 = 0
jnxJsIfMonInVpn.21 = 0
jnxJsIfMonInVpn.22 = 0
jnxJsIfMonInVpn.503 = 0
jnxJsIfMonInVpn.526 = 2

root> show interfaces ge-0/0/0.0 extensive                      
  Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 526) (Generation 147)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                 1890
     Output bytes  :                 1122
     Input  packets:                   12
     Output packets:                    7
    Local statistics:
     Input  bytes  :                  348
     Output bytes  :                  364
     Input  packets:                    5
     Output packets:                    6
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: untrust
    Allowed host-inbound traffic : ike
    Flow Statistics :  
    Flow Input statistics :             
      Self packets :                     7
      ICMP packets :                     0
      VPN packets :                      2
      Multicast packets :                0
      Bytes permitted by policy :        1312
      Connections established :          1
 

OID 1.3.6.1.4.1.2636.3.52.1, which is a part of the Juniper enterprise MIB mib-jnx-ipsec-flow-mon.txt, may be used to obtain various VPN-related details, including Decrypted (1.3.6.1.4.1.2636.3.52.1.2.2.1.13) and Encrypted (1.3.6.1.4.1.2636.3.52.1.2.2.1.11) packets on a per VPN tunnel basis.

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.13      
jnxIpSecTunMonInDecryptedPkts.1.4.10.0.0.1.131073 = 2
jnxIpSecTunMonInDecryptedPkts.1.4.11.0.0.1.131074 = 0

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.11      
jnxIpSecTunMonOutEncryptedPkts.1.4.10.0.0.1.131073 = 1
jnxIpSecTunMonOutEncryptedPkts.1.4.11.0.0.1.131074 = 0
 

Note: Values are listed per VPN based on the IPsec Tunnel Index, which may be located by using the following methods:

  • For all Junos OS versions run by SRX

root> show security ipsec security-associations

  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 8a3ec934 3316/ unlim   -   root 500   192.168.0.1        
  >131073 ESP:3des/sha1 9024d3f4 3316/ unlim   -   root 500   192.168.0.1        
  <131074 ESP:3des/sha1 ca6f5ffd 3316/ unlim   -   root 500   192.168.1.1        
  >131074 ESP:3des/sha1 d0a78d87 3316/ unlim   -   root 500   192.168.1.1
  • For devices that run Junos OS 15.1X49-D130 or later

root> show snmp mib walk 1.3.6.1.4.1.2636.3.52.1.2.2.1.27

  jnxIpSecTunMonVpnName.1.4.192.168.0.1.131073 = vpn1
  jnxIpSecTunMonVpnName.1.4.192.168.1.1.131074 = vpn2

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search