ike dpd type

Usage Scenario

When peers implement IPSec communication, the heartbeat mechanism can detect peer faults to avoid traffic loss. However, the periodic heartbeat message exchanges consume CPU resources on the two ends. The DPD mechanism enables a device to send DPD messages for peer detection only when the device does not receive IPSec packets from the peer within a period. This mechanism can detect peer faults and save CPU resources.

The device sets the DPD mode and enables the DPD function based on the dpd type or ike dpd type command. Two DPD modes are available:

• On-demand DPD

  When the local end needs to send IPSec packets to the remote end, the local end sends a DPD request packet to the remote end for DPD detection.

• Periodic DPD

  If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

The local end retransmits DPD request packets if it does not receive any DPD response packet from the remote end within the retransmission interval. If the local end still does not receive any DPD response packet within the retransmission interval after the maximum number of retransmissions is reached, the local end considers that the remote end is offline and deletes the involved IKE SA and IPSec SA.

Precautions

The payload sequence of DPD packets configured using the dpd msg or ike dpd msg command on IKE peers at both ends must be the same; otherwise, DPD does not take effect.

If the dpd type command is configured on an IKE peer, the IKE peer starts DPD query and sets the DPD mode based on the dpd type command configuration regardless of whether the ike dpd type command is configured globally. If the dpd type command is not configured on an IKE peer, whether the IKE peer starts DPD and sets the DPD mode depends on the ike dpd type command configuration.