STIR/SHAKEN Client Statistics

The SBC provides standard tools to evaluate, track and troubleshoot client operations. You obtain applicable statistics from the ACLI, with information separated between AS and VS server interactions. The output includes period and lifetime monitoring spans.

You can also configure the SBC to provide these statistics using SNMP, HDR and REST. In addition to the above, the SBC enhances applicable CDRs to include calling party authentication information.

You can retrieve STIR/SHAKEN statistics from the SBC using ACLI, SNMP, HDR and REST. For this reporting, the term “system wide” is the sum of all requests. For all statistics outputs, the SBC reports values on session-agent, sip-interface, realm, STI Server, and system wide bases:

Successful requests and responses—Based on receipt of a 200 OK.
Unsuccessful requests and responses
Successful and unsuccessful verifications
Policy exceptions
Service exceptions
The presence and absence of a SIP Identity header in INVITEs
The number of egress INVITEs to which a bypass token header was added
The number of signing requests that were bypassed
The number of verification requests that were bypassed
The number of signing requests not sent to the STI server, due to:
- STI server is unreachable (circuit breaker state is OPEN)
- Overloaded sipd or curld threads (you can see statistics for curld or sipd by using the show processes and show processes overload commands)
- Exceeded STI server admission control restraints
- Absence of valid TN
- Ingress message matches conditions for bypassing verification
- Required attestation headers are missing
- Any other reason, including policy or service exceptions
The number of validation requests not sent to the STI server, due to:
- STI server is unreachable (circuit breaker state is OPEN)
- Overloaded sipd or curld threads
- Exceeded STI server admission control restraints
- Absence of valid TN
- Ingress message matches conditions for bypassing authorization
- Missing or empty identity header
- Any other reason, including policy or service exceptions
The number of signing requests that were sent but received no response (timed out)
The number of verification requests that were sent but received no response (timed out)
The number of egress signing requests initiated
The number of signing requests failed due to policy exceptions
The number of signing requests failed due to service exceptions.
The number of verification requests failed due to policy exceptions
The number of verification requests failed due to service exceptions
The number of successful/unsuccessful signing responses (with status/error codes) received
The number of verification requests initiated per ingress session agent, sip-interface, realm and system wide
The number of successful/unsuccessful HTTP and verification responses. A successful response is defined as a 200OK containing the verstat parameter. Response categories include:
- TN-Validation-Passed
- TN-Validation-Failed
- No-TN-Validation – For example, the system detected a syntax error in a verification request.
- 403 – Stale Data
- 436 – Bad_Identity_Info
- Policy exceptions
- Service exceptions

Detail on how the SBC increments statistics include:

The value for STI-VS Success Responses includes all 200 OK responses from the STI-VS service that have a valid payload (JSON).
The value for STI-VS Unsuccessful Responses include those in which the STI-VS server is unable to verify a call, including:
- Service exceptions
- Policy exceptions
- There is no JSON in the response
- Timeouts and other signaling issues that cause the response to fail
Successful responses include the STI-VS service verifying the call or authoritatively providing a rejection cause, all provided within a 200 OK STI-VS response.
Validated calls are calculated by subtracting the value of STI-VS Failed Verification from STI-VS Success Responses.
Successful verifications include each call the STI-VS service can verify.