With DPD, I've read what it is and have a basic understanding of it's operation. However there is no reference to what DPD does if it looses a peer. Does it simply wipe out the SA's and wait for interesting traffic? Or does it try to re-establish the tunnel? With Easy Remotes where the remote is a DHCP assigned address, does DPD/isakmp keepalives keep the tunnel open? With network extension mode, will the tunnel automatically establish itself? How does the vpn remote define interesting traffic? Thanks,
When the DPD finds that the peer is dead, it brings down all the SAs and recreates them from the beginning. The main idea of DPD is to let one peer know if the other is dead or alive and if dead, take immediate actions like switching over to a standby peer for redundancy. If there is no standby peer, then all tunnels with the original peer are destroyed. Only when interesting traffic is found again, it tries to negotiate IKE parameters in Phase 1. This time with the IP address the peer has at that point of time as given by the DHCP. If the DHCP lease time is lesser than the IKE SA lifetime, then the remote node may get a new address and this will spoil the show. Because when the IKE SA lifetime expires, it expects that the peer IP address be same as that it had when it first negotiated IKE parameters.
Note that DPD can't be used to bring the SAs up if they are down. DPD works only if there are existing SAs and one wants to find if the other peer is alive.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...