Viewing main mode and quick mode statistics in IP Security Monitor

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Viewing main mode and quick mode statistics in IP Security Monitor

Main Mode (IKE) Statistics

The following table describes the items in the list of main mode (IKE) statistics in IP Security Monitor.

For information about how to view these statistics, see View IP security statistics.

Main Mode (IKE) Statistic Description

Active Acquire

The number of pending requests to initiate an Internet Key Exchange (IKE) negotiation in order to establish a security association (SA) between IPSec peers. The Active Acquire statistic includes the outstanding request and the number of any queued requests. Under a heavy load, the number of active acquires is 1 plus the number of requests that are queued by IKE for processing.

Active Receive

The number of IKE messages received that are queued for processing.

Acquire Failures

The total number of acquire outbound requests that have failed since the IPSec service was last started. Acquires are requests to establish SAs between IPSec peers.

Receive Failures

The total number of errors that have occurred during the process of receiving IKE messages since the IPSec service was last started.

Send Failures

The total number of errors that have occurred during the process of sending IKE messages since the IPSec service was last started. The number of Send Failures typically increases for computers that establish SAs over temporary network connections, such as dial-up connections, virtual private network tunnels, and wireless connections.

Acquire Heap Size

The number of entries in the acquire heap. The acquire heap stores successful acquires. Acquires are outbound requests to establish SAs between IPSec peers.

Receive Heap Size

The number of entries in the IKE receive buffers. The receive buffers store incoming IKE messages.

Authentication Failures

The total number of identity authentication (Kerberos, certificate, and preshared key) failures that have occurred during main mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Authentication Failures increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match).

Negotiation Failures

The total number of negotiation failures that have occurred during main mode or quick mode negotiation since the IPSec service was last started. If you are having difficulty communicating securely, attempt the communication and determine whether the number of Negotiation Failures increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings.

Invalid Cookies Received

The total number of cookies that could not be matched with an active main mode SA since the IPSec service was last started. A cookie is a value contained in a received IKE message that is used to help identify the corresponding main mode SA.

Total Acquire

The total number of requests that have been submitted to IKE since the IPSec service was last started to establish an SA. This number includes acquires that result in soft SAs.

Total Get SPI

The total number of requests that have been submitted by IKE to the IPSec driver to obtain a unique Security Parameters Index (SPI) since the IPSec service was last started. The SPI matches inbound packets with SAs.

Key Additions

The total number of outbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started.

Key Updates

The total number of inbound quick mode SAs that have been added by IKE to the IPSec driver since the IPSec service was last started.

Get SPI Failures

The total number of failed requests that have been submitted by IKE to the IPSec driver to obtain a unique SPI since the IPSec service was last started.

Key Addition Failures

The total number of failed outbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started.

Key Update Failures

The total number of failed inbound quick mode SA addition requests that have been submitted by IKE to the IPSec driver since the IPSec service was last started.

ISADB List Size

The number of main mode state entries. This number includes successfully negotiated main modes, main mode negotiations in progress, and main mode negotiations that failed or expired and have not yet been deleted.

Connection List Size

The number of quick mode negotiations that are in progress.

IKE Main Mode

The total number of successful SAs that have been created during main mode negotiations since the IPSec service was last started.

IKE Quick Mode

The total number of successful SAs that have been created during quick mode negotiations since the IPSec service was last started.

Soft Associations

The total number of SAs formed with computers that have not responded to main mode negotiation attempts since the IPSec service was last started. Although these computers did not respond to main mode negotiation attempts, IPSec policy allowed communications with the computers. Soft SAs are not secured by IPSec.

Invalid Packets Received

The total number of invalid IKE messages that have been received since the IPSec service was last started. This number includes IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie. Invalid IKE messages are commonly caused by retransmitted IKE messages or an unmatched preshared key between the IPSec peers.

Quick Mode (IPSec) Statistics

The following table describes the items in the list of quick mode (IPSec) statistics in IP Security Monitor.

Quick Mode (IPSec) Statistic Description

Active Security Associations

The number of active quick mode SAs.

Offloaded Security Associations

The number of active quick mode SAs offloaded to hardware. Certain network adapters can accelerate IPSec processing by performing hardware offload of IPSec cryptographic functions.

Pending Key Operations

The number of IPSec key exchange operations that are in progress but are not yet completed.

Key Additions

The total number of keys for quick mode SA negotiations that have been successfully added since the computer was last started.

Key Deletions

The total number of keys for quick mode SAs that have been successfully deleted since the computer was last started.

Rekeys

The total number of successful rekey operations for quick mode SAs since the computer was last started.

Active Tunnels

The number of active IPSec tunnels.

Bad SPI Packets

The total number of packets for which the SPI has been incorrect since the computer was last started. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. A large number of packets with bad SPIs that are received within a short amount of time might indicate a packet spoofing attack.

Packets Not Decrypted

The total number of packets that could not be decrypted since the computer was last started. A packet might not be decrypted if it fails a validation check.

Packets Not Authenticated

The total number of packets for which data could not be verified (for which the integrity hash verification failed) since the computer was last started. Increases in this number might indicate an IPSec packet spoofing or modification attack or packet corruption by network devices.

Packets With Replay Detection

The total number of packets that have contained an invalid sequence number since the computer was last started. Increases in this number might indicate a network problem or replay attack.

Confidential Bytes Sent

The total number of bytes that have been sent using the Encapsulating Security Payload (ESP) protocol (excluding non-encrypted ESP) since the computer was last started.

Confidential Bytes Received

The total number of bytes that have been received using the ESP protocol (excluding non-encrypted ESP) since the computer was last started.

Authenticated Bytes Sent

The total number of authenticated bytes that have been sent using the Authentication Header (AH) protocol or the ESP protocol since the computer was last started.

Authenticated Bytes Received

The total number of authenticated bytes that have been received using the AH protocol or the ESP protocol since the computer was last started.

Transport Bytes Sent

The total number of bytes that have been sent using IPSec transport mode since the computer was last started.

Transport Bytes Received

The total number of bytes that have been received using IPSec transport mode since the computer was last started.

Bytes Sent in Tunnels

The total number of bytes that have been sent using IPSec tunnel mode since the computer was last started.

Bytes Received in Tunnels

The total number of bytes that have been received using IPSec tunnel mode since the computer was last started.

Offloaded Bytes Sent

The total number of bytes that have been sent using IPSec hardware offload since the computer was last started.

Offloaded Bytes Received

The total number of bytes that have been received using IPSec hardware offload since the computer was last started.