Viewing main mode and quick mode statistics in IP Security Monitor
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Viewing main mode and quick mode statistics in IP Security Monitor
Main Mode (IKE) Statistics
The following table describes the items in the list of main mode (IKE) statistics in IP Security Monitor.
For information about how to view these statistics, see View IP security statistics.
| Main Mode (IKE) Statistic | Description |
|---|---|
Active Acquire |
The number of pending requests to initiate an Internet Key Exchange (IKE) negotiation in order to establish a security association (SA) between IPSec peers. The Active Acquire statistic includes the outstanding request and the number of any queued requests. Under a heavy load, the number of active acquires is 1 plus the number of requests that are queued by IKE for processing. |
Active Receive |
The number of IKE messages received that are queued for processing. |
Acquire Failures |
The total number of acquire outbound requests that have failed since the IPSec service was last started. Acquires are requests to establish SAs between IPSec peers. |
Receive Failures |
The total number of errors that have occurred during the process of receiving IKE messages since the IPSec service was last started. |
Send Failures |
The total number of errors that have occurred during the process of sending IKE messages since the IPSec service was last started. The number of Send Failures typically increases for computers that establish SAs over temporary network connections, such as dial-up connections, virtual private network tunnels, and wireless connections. |
Acquire Heap Size |
The number of entries in the acquire heap. The acquire heap stores successful acquires. Acquires are outbound requests to establish SAs between IPSec peers. |
Receive Heap Size |
The number of entries in the IKE receive buffers. The receive buffers store incoming IKE messages. |
Authentication Failures |
The total number of identity authentication (Kerberos, certificate, and preshared key) failures that have occurred during main mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Authentication Failures increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match). |
Negotiation Failures |
The total number of negotiation failures that have occurred during main mode or quick mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Negotiation Failures increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings. |
Invalid Cookies Received |
The total number of cookies that could not be matched with an active main mode SA since the IPSec service was last started. A cookie is a value contained in a received IKE message that is used to help identify the corresponding main mode SA. |
Total Acquire |
The total number of requests that have been submitted to IKE since the IPSec service was last started to establish an SA. This number includes acquires that result in soft SAs. |
Total Get SPI |
The total number of requests that have been submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI) since the IPSec service was last started. The SPI matches inbound packets with SAs. |
Key Additions |
The total number of outbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started. |
Key Updates |
The total number of inbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started. |
Get SPI Failures |
The total number of failed requests that have been submitted by IKE to the IPSec driver to obtain a unique SPI since the IPSec service was last started. |
Key Addition Failures |
The total number of failed outbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started. |
Key Update Failures |
The total number of failed inbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started. |
ISADB List Size |
The number of main mode state entries. This number includes successfully negotiated main modes, main mode negotiations in progress, and main mode negotiations that failed or expired and have not yet been deleted. |
Connection List Size |
The number of quick mode negotiations that are in progress. |
IKE Main Mode |
The total number of successful SAs that have been created during main mode negotiations since the IPSec service was last started. |
IKE Quick Mode |
The total number of successful SAs that have been created during quick mode negotiations since the IPSec service was last started. |
Soft Associations |
The total number of SAs formed with computers that have not responded to main mode negotiation attempts since the IPSec service was last started. Although these computers did not respond to main mode negotiation attempts, IPSec policy allowed communications with the computers. Soft SAs are not secured by IPSec. |
Invalid Packets Received |
The total number of invalid IKE messages that have been received since the IPSec service was last started. This number includes IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie. Invalid IKE messages are commonly caused by retransmitted IKE messages or an unmatched preshared key between the IPSec peers. |
Quick Mode (IPSec) Statistics
The following table describes the items in the list of quick mode (IPSec) statistics in IP Security Monitor.
| Quick Mode (IPSec) Statistic | Description |
|---|---|
Active Security Associations |
The number of active quick mode SAs. |
Offloaded Security Associations |
The number of active quick mode SAs offloaded to hardware. Certain network adapters can accelerate IPSec processing by performing hardware offload of IPSec cryptographic functions. |
Pending Key Operations |
The number of IPSec key exchange operations that are in progress but are not yet completed. |
Key Additions |
The total number of keys for quick mode SA negotiations that have been successfully added since the computer was last started. |
Key Deletions |
The total number of keys for quick mode SAs that have been successfully deleted since the computer was last started. |
Rekeys |
The total number of successful rekey operations for quick mode SAs since the computer was last started. |
Active Tunnels |
The number of active IPSec tunnels. |
Bad SPI Packets |
The total number of packets for which the SPI has been incorrect since the computer was last started. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. A large number of packets with bad SPIs that are received within a short amount of time might indicate a packet spoofing attack. |
Packets Not Decrypted |
The total number of packets that could not be decrypted since the computer was last started. A packet might not be decrypted if it fails a validation check. |
Packets Not Authenticated |
The total number of packets for which data could not be verified (for which the integrity hash verification failed) since the computer was last started. Increases in this number might indicate an IPSec packet spoofing or modification attack or packet corruption by network devices. |
Packets With Replay Detection |
The total number of packets that have contained an invalid sequence number since the computer was last started. Increases in this number might indicate a network problem or replay attack. |
Confidential Bytes Sent |
The total number of bytes that have been sent using the Encapsulating Security Payload (ESP) protocol (excluding non-encrypted ESP) since the computer was last started. |
Confidential Bytes Received |
The total number of bytes that have been received using the ESP protocol (excluding non-encrypted ESP) since the computer was last started. |
Authenticated Bytes Sent |
The total number of authenticated bytes that have been sent using the Authentication Header (AH) protocol or the ESP protocol since the computer was last started. |
Authenticated Bytes Received |
The total number of authenticated bytes that have been received using the AH protocol or the ESP protocol since the computer was last started. |
Transport Bytes Sent |
The total number of bytes that have been sent using IPSec transport mode since the computer was last started. |
Transport Bytes Received |
The total number of bytes that have been received using IPSec transport mode since the computer was last started. |
Bytes Sent in Tunnels |
The total number of bytes that have been sent using IPSec tunnel mode since the computer was last started. |
Bytes Received in Tunnels |
The total number of bytes that have been received using IPSec tunnel mode since the computer was last started. |
Offloaded Bytes Sent |
The total number of bytes that have been sent using IPSec hardware offload since the computer was last started. |
Offloaded Bytes Received |
The total number of bytes that have been received using IPSec hardware offload since the computer was last started. |