cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4741
Views
0
Helpful
3
Replies

DPD timeout value !

illusion_rox
Level 1
Level 1

hi all, i am faced with a difficult situation but a very common 1 though. i have 1 hub router and 1 spoke router with 2 WAN links. Wimax and DSL. i am using gre tunnels to run ospf between spoke and hub. i have used ospf costing to turn 1 link into primary and other to backup. so far my network is working fine. now i am deploying site to site vpn, now as you can see that since i have 2 seperate WAN links and i need vpn on both of them so at spoke end, i will be using two peer statements right ?

crypto map my 10 ipsec-isakmp

mat address 111

set peer (primary WAN ip of hub)

set peer (secondary WAN ip of hub)

set transform-set sample

Now everything is working fine. I am having issue when my major links go down. Isakmp takes TOO much time to shift to secondary link. this is my sample ping

R4#ping 10.1.10.1 source 10.1.8.1 rep 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 10.1.10.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.8.1

.!!!!!!!!!!!!!!!!..!.!!!.........................................................................................................!!!!!

I need to reduce this time to as minimum as possible. This is a very common design so plz guide me. pls note the following

1)hub router is 3845 running advseck9 IOS

2)spoke router is 1841 running advseck9 IOS

i am using simple site to site VPN, i cant use DMVPN coz we discussed this scenario with CCIE security and he agreed that DMVPN will be too complex to handle in our scenario since number of spokes are more then 150. but they are divided in 3 ospf areas, 1 hub for each area and handling almost 50 spokes.

Pls guide me i think this has to do with DPD but i dont see much effect of it.

3 Replies 3

hadbou
Level 5
Level 5

The DPD (dead peer detection) timeout parameter specifies the timeout value in seconds. The DPD timer is used to determine if a DPD packet needs to be sent to the peer. The DPD timer is reset every time a Cisco SSL Tunnel Protocol (CSTP) frame is received from the peer. Valid values for the DPD interval for client and gateway are 0 (disabled) to 3600 seconds. Default is 300 seconds.

To configure the dead peer detection (DPD) timer value for the gateway or client, use the "svc dpd-interval" command in webvpn group policy configuration mode. To remove a DPD timer value from the policy group configuration, use the no form of this command. Reduce the timeout value using this command.

Farrukh Haroon
VIP Alumni
VIP Alumni

You can ocnfigure isakmp keepalives as per the following:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html

Please do it on both sides.

Regards

Farrukh

Dear Farrukh, thanks alot for the feedback but i knew how to enable it actually what i was asking as to when a router will declare the peer dead ? i.e. what is the dead timer if u say, anyway using the debug and using the RFC i got it working.

Thanks alot anyways guys :-) pls look at my another query

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: