Dead peer detection (DPD) allows two IPSec peers to determine if
the other is still alive during the lifetime of a VPN connection. DPD is useful
because a host may reboot or the dialup link of a remote user may disconnect
without notifying the peer that the VPN connection is gone away. When the IPSec
host determines that a VPN connection no longer exists, it can notify the user,
attempt to switch to another IPSec host, or clean up valuable resources that
were allocated for the peer that no longer exists.
A DPD peer can send
DPD messages, reply to DPD messages, or both. DPD messages are unidirectional
and are automatically sent by Cisco VPN clients. Unlike the old-style IKE
keepalives, DPD is not required on both peers. DPD can be configured on just
the remote, just the headend, or both depending on the requirements. The
isakmp keepalive command in tunnelgroup ipsec-attributes
configuration mode is used to enable PIX Security Appliance gateway to send IKE
DPD messages
. The number of
seconds between DPD messages can be configured. The number of seconds between
retries if a DPD message fails can also be configured.