< Home

ike dpd

Function

The ike dpd command configures the global dead peer detection (DPD) idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions.

The undo ike dpd command restores the default global DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions.

By default, the global DPD idle time is 30s, the DPD packet retransmission interval is 15s, and the maximum number of DPD packet retransmissions is 3.

Format

ike dpd { idle-time interval | retransmit-interval interval | retry-limit times }

undo ike dpd { idle-time | retransmit-interval | retry-limit }

Parameters

Parameter

Description

Value

idle-time interval

Specifies the DPD idle time.

The value is an integer that ranges from 10 to 3600, in seconds.

retransmit-interval interval

Specifies the DPD packet retransmission interval.

The value is an integer that ranges from 2 to 60, in seconds.

retry-limit times

Specifies the maximum number of DPD packet retransmissions.

The value is an integer that ranges from 3 to 10.

Views

system view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When peers implement IPSec communication, the heartbeat mechanism can detect peer faults to avoid traffic loss. However, the periodic heartbeat message exchanges consume CPU resources on the two ends. The DPD mechanism enables a device to send DPD messages for peer detection only when the device does not receive IPSec packets from the peer within a period. This mechanism can detect peer faults and save CPU resources.

The device sets the DPD mode and enables the DPD function based on the dpd type or ike dpd type command. Two DPD modes are available:

  • On-demand DPD

    When the local end needs to send IPSec packets to the remote end, the local end sends a DPD request packet to the remote end for DPD detection.

  • Periodic DPD

    If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

The local end retransmits DPD request packets if it does not receive any DPD response packet from the remote end within the retransmission interval. If the local end still does not receive any DPD response packet within the retransmission interval after the maximum number of retransmissions is reached, the local end considers that the remote end is offline and deletes the involved IKE SA and IPSec SA.

Precautions

The ike dpd command must be used with the ike dpd type and ike dpd msg commands.

If the dpd type command is configured on an IKE peer, the DPD parameters configured on the IKE peer use the values configured using the dpd command. If the ike dpd type command is configured globally, the DPD parameters configured on the IKE peer use the values configured using the ike dpd command.

Example

# Set the global DPD idle time to 300s, DPD packet retransmission interval to 10s, and maximum number of DPD packet retransmissions to 4.

<sysname> system-view
[sysname] ike dpd idle-time 300
[sysname] ike dpd retransmit-interval 10
[sysname] ike dpd retry-limit 4
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >