< Home

dpd

Function

The dpd command configures the dead peer detection (DPD) idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the specified IKE peer.

The undo dpd command restores the default DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the specified IKE peer.

By default, the DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on an IKE peer are 30s, 15s, and 3 respectively.

Format

dpd { idle-time interval | retransmit-interval interval | retry-limit times }

undo dpd { idle-time | retransmit-interval | retry-limit }

Parameters

Parameter

Description

Value

idle-time interval

Specifies the DPD idle time.

The value is an integer that ranges from 10 to 3600, in seconds.

retransmit-interval interval

Specifies the DPD packet retransmission interval.

The value is an integer that ranges from 2 to 60, in seconds.

retry-limit times

Specifies the maximum number of DPD packet retransmissions.

The value is an integer that ranges from 3 to 10.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When peers implement IPSec communication, the heartbeat mechanism can detect peer faults to avoid traffic loss. However, the periodic heartbeat message exchanges consume CPU resources on the two ends. The DPD mechanism enables a device to send DPD messages for peer detection only when the device does not receive IPSec packets from the peer within a period. This mechanism can detect peer faults and save CPU resources.

The device sets the DPD mode and enables the DPD function based on the dpd type or ike dpd type command. Two DPD modes are available:

  • On-demand DPD

    When the local end needs to send IPSec packets to the remote end, the local end sends a DPD request packet to the remote end for DPD detection.

  • Periodic DPD

    If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

The local end retransmits DPD request packets if it does not receive any DPD response packet from the remote end within the retransmission interval. If the local end still does not receive any DPD response packet within the retransmission interval after the maximum number of retransmissions is reached, the local end considers that the remote end is offline and deletes the involved IKE SA and IPSec SA.

Precautions

  • The dpd command must be used with the dpd type and dpd msg commands.
  • Parameters in the dpd command can be configured for each IKE peer separately and do not need to be the same as the parameters on the peer device.

  • If the dpd type command is configured on an IKE peer, the DPD parameters configured on the IKE peer use the values configured using the dpd command. If the ike dpd type command is configured globally, the DPD parameters configured on the IKE peer use the values configured using the ike dpd command.

Example

# Set the DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the IKE peer test to 300s, 10s, and 4.

<sysname> system-view
[sysname] ike peer test
[sysname-ike-peer-test] dpd idle-time 300
[sysname-ike-peer-test] dpd retransmit-interval 10
[sysname-ike-peer-test] dpd retry-limit 4
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >