Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec stats meaning

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thronner
      last edited by

      Hello,

      I have this problem with my ipsec that I can send packets but not receive.

      I have noticed a strange Stat in my Child SA entry:

      Bytes-In 0 : 213

      Does this mean that 213 packets have been dropped?

      Do you know any log where I can find out why? (No firewall deny is logged)

      Screenshot:

      1 Reply Last reply Reply Quote 0
      • G
        gavpop
        last edited by

        Hi,

        I am having this exact same problem.
        For some reason, yesterday, a site to site IPSEC connection that I've been using for ages just stopped working.  The tunnel claims to be up, but no traffic is going over it, or perhaps in one direction, just not in both.

        I'm getting the exact same symptoms as the OP.  I'm very curious what the IPSEC stats mean?
        eg - Packets-In: 0 : 1077  does the 1077 relate to dropped packets?  If so, where are they being dropped?  I am 99.9% sure I don't have any rules blocking IPSEC traffic.

        The full readout of the stats…

        One end of tunnel =
        Bytes-In: 0
        Packets-In: 0 : 1077
        Bytes-Out: 29600
        Packets-Out: 268 : 1

        The other end of tunnel =
        Bytes-In: 23908
        Packets-In: 306 : 1228
        Bytes-Out: 0
        Packets-Out: 0 : 0

        Any help would be greatfully received.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          The trailing number at the end is noise from strongswan's output there, just ignore it. We have a bug ticket open to clean that up in the future.

          Where you have 0 bytes and packets in like both posts here are showing, it means the other end isn't replying for some reason. Maybe the other end is blocking the traffic, maybe the target system isn't replying, or it might be replying to the wrong device (diff default gateway). Something along those lines. When you have that circumstance as shown, you know the IPsec portion is fine because it's up and you're passing traffic out of it. Look to the other end to see why it's not sending anything back.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.