Table of Contents
Advertisement
Chapter 5
Setup and Configuration
Section 5.29.6.3
Configuring Dead Peer Detection
Dead Peer Detection (DPD), as defined in
Internet Key Exchange (IKE) peers. In this method, peers exchange DPD Request (ISAKMP R-U-THERE) and
DPD Response (ISAKMP R-U-THERE-ACK) messages. If a DPD Response is not received by a peer after a
specified time and/or number of attempts, the other peer is considered dead. The remaining peer can either
hold the connection until other peer responds, clear the connection, restart the connection and renegotiate the
Security Association (SA), or restart all SA's to the dead peer.
In RUGGEDCOM ROX II, DPD Requests are sent when there is no traffic detected by the peer. How long to wait
before sending a DPD Request and how long to wait for a DPD Response is user configurable.
It is generally recommended that DPD be configured to clear connections with any dead peers.
To configure dead peer detection for an IPsec connection, do the following:
1.
Make sure the CLI is in Configuration mode.
2.
Enable dead peer detection by typing:
tunnel ipsec connection name dead-peer-detect enabled [ true | false ]
Where:
• name is the connection name.
3.
Configure the following parameter(s) as required:
NOTE
The timeout period must be two minutes longer than the interval period.
Parameter
interval { interval }
timeout { timeout }
action { action }
Type commit and press Enter to save the changes, or type revert and press Enter to abort.
4.
466
RFC 3706
[http://tools.ietf.org/html/rfc3706] is used to detect dead
Description
Synopsis: An integer between 1 and 3600
Default: 30
The interval (in seconds) between Dead Peer Detection keepalive
messages sent for this connection when no traffic (idle) appears
to be sent by a DPD enabled peer.
Synopsis: An integer between 1 and 28800
Default: 120
The time in seconds to wait before a peer is declared dead.
Prerequisite: The timeout period must be more than two times
the interval.
Synopsis: { hold, clear, restart, restart-all-sa }
Default: restart
The action to be taken when a DPD enabled peer is declared
dead. Options include: <itemizedlist><listitem>hold: The route
will be put on hold status.</listitem> <listitem>clear: The route
and Security Association (SA) will both be cleared</listitem>
<listitem>restart: The SA will immediately be renegotiated</
listitem> <listitem>restart-all-sa: All SA's to the dead peer will be
renegotiated</listitem></itemizedlist>
RUGGEDCOM ROX II
CLI User Guide
Configuring Dead Peer Detection
Advertisement
Table of Contents
Troubleshooting
