IPSec stats meaning

  • Hello,

    I have this problem with my ipsec that I can send packets but not receive.

    I have noticed a strange Stat in my Child SA entry:

    Bytes-In 0 : 213

    Does this mean that 213 packets have been dropped?

    Do you know any log where I can find out why? (No firewall deny is logged)


  • Hi,

    I am having this exact same problem.
    For some reason, yesterday, a site to site IPSEC connection that I've been using for ages just stopped working.  The tunnel claims to be up, but no traffic is going over it, or perhaps in one direction, just not in both.

    I'm getting the exact same symptoms as the OP.  I'm very curious what the IPSEC stats mean?
    eg - Packets-In: 0 : 1077  does the 1077 relate to dropped packets?  If so, where are they being dropped?  I am 99.9% sure I don't have any rules blocking IPSEC traffic.

    The full readout of the stats…

    One end of tunnel =
    Bytes-In: 0
    Packets-In: 0 : 1077
    Bytes-Out: 29600
    Packets-Out: 268 : 1

    The other end of tunnel =
    Bytes-In: 23908
    Packets-In: 306 : 1228
    Bytes-Out: 0
    Packets-Out: 0 : 0

    Any help would be greatfully received.

  • The trailing number at the end is noise from strongswan's output there, just ignore it. We have a bug ticket open to clean that up in the future.

    Where you have 0 bytes and packets in like both posts here are showing, it means the other end isn't replying for some reason. Maybe the other end is blocking the traffic, maybe the target system isn't replying, or it might be replying to the wrong device (diff default gateway). Something along those lines. When you have that circumstance as shown, you know the IPsec portion is fine because it's up and you're passing traffic out of it. Look to the other end to see why it's not sending anything back.

Log in to reply