Dead peer detection (DPD) is a keepalives scheme that allows the router to
query the liveliness of its IKE peer. There are two options for DPD. These
options are periodic and on-demand.
Periodic DPD
Periodic DPD
functions on the basis of the timer. If the timer is set for 10 seconds, the
router will send a hello message every 10 seconds, unless, the router receives
a hello message from the peer. The benefit of periodic DPD is earlier detection
of dead peers. However, periodic DPD rely on periodic messages that have to be
sent with considerable frequency. The result of sending frequent messages is
that the communicating peers must encrypt and decrypt more packets.
On-demand DPD
DPD also has an on-demand approach. The on-demand
approach is the default. With on-demand DPD, messages are sent on the basis of
traffic patterns. For example, if a router has to send outbound traffic and the
liveliness of the peer is questionable, the router sends a DPD message to query
the status of the peer. If a router has no traffic to send, it never sends a
DPD message. If a peer is dead, and the router never has any traffic to send to
the peer, the router will not find out until the IKE or IPSec SA has to be
re-keyed. On the other hand, if the router has traffic to send to the peer, and
the peer does not respond, the router will initiate a DPD message to determine
the state of the peer.
Enable DPD
Use the crypto isakmp keepalive
command in global configuration mode to enable a Cisco IOS VPN gateway, instead
of the VPN Client, to send DPD messages
.