We've encountered an error with an IPSec tunnel between a Cisco 1811 and a pair of Draytek 3300's in High Availability mode. The connection was up and stable and the two Draytek units were online and in sync, the master then went offline failing over the connection to the master, at this point the IPSec tunnel went down.
I’ve spoken to Draytek about the issue as it looked to be an issue with their HA setup but they’ve asked me to check if the Cisco supports IPSec DPD – I’ve looked and looked and cannot find the answer hence the post.
If anyone can let me know if this is supported on the 1811 I would be grateful, even better if you can suggest a problem with our scenario?
DPD means Dead Peer detection
for enabling DPD all times you need the periodic option
compare your configuration with the example in the link above or post your configuration here after having changed public ip addresses and removed usernames and passwords
To be honest, I think their HA IPSec configuration was not perfect as the objective of an HA IPSec is that of providing a seamless move to new peer
For achieving this the two devices need to share the IPSec connection table including current IPSec and ISAKMP Security Associations.
DPD could help in case new IPSec peer presents itself with a different SA proposal confusing the other device.
DPD can help in case of stateless HA IPsec by allowing to declare down the previous sets of SAs and allowing Cisco device to negotiate SAs with the new active IPSec peer instead of rejecting them.
post show ver | inc image
in order to check if IPSEC DPD is supported on your C1811 you can use feature navigator
search by feature IPSec DPD
this supports periodic DPD on C1811
the exact name of the feature is :
Hope to help