Cisco router: Dead Peer Detection
What is DPD
Dead Peer Detection(DPD) is a method that allows detection of unreachable Internet Key Exchange(IKE) peers. DPD is defined in RFC 3706.
When router enables DPD, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.
DPD on Cisco Routers
Cisco routers support two DPD types: on-demand and periodic, default is on-demand.
The command to enable DPD is:
crypto isakmp keepalive [seconds] [retry-seconds:optional] [on-demand | periodic]- seconds: the range is from 10 to 3600 seconds.
When the periodic keyword is used, this argument is the number of seconds between DPD messages.
When the on-demand keyword is used, this argument is the number of seconds during which traffic is not received from the peer before DPD retry messages are sent if there is data (IPSec) traffic to send
- retry-seconds (Optional): the range is from 2 to 60 seconds.
Number of seconds between DPD retry messages if the DPD retry message is missed by the peer.
Once 1 DPD message is missed by the peer, the router moves to a more aggressive state and sends the DPD retry message at the faster retry interval, which is the number of seconds between DPD retries if the DPD message is missed by the peer. The default DPD retry message is sent every 2 seconds. Five aggressive DPD retry messages can be missed before the tunnel is marked as down.
Periodic DPD
Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better response time when compared to on-demand DPD. However, use of periodic DPD incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using on-demand DPD instead.
On-demand DPD
With On-demand DPD, messages are sent on the basis of traffic patterns.
Let’s say peer A and B, A has outbound traffic to B, but B never need to send traffic to A, i.e. A is sender, B is receiver.
A will send DPD message (R-U-There) to query the status of B if A suspects B is dead.
On the other hand, B as a receiver only will never initiate a DPD(R-U-There) message to A. If ever A is dead, B will not find out until the IKE or IPsec security association (SA) has to be rekeyed. The rationale is that the liveliness of the peer is unimportant if the router is not trying to communicate with the peer.
Use case
You received complain that there is problem to send/receive traffic to/from remote host over IPsec VPN, and the VPN status appears to be up.
You are also 100% sure that there is no routing issue.
What you can try is to clear out existing IKE and IPsec sessions by typing
clear crypto session remote [peer's IP]And your Cisco router will start new SA negotiation.
You can also enable periodic DPD check to minimize the downtime due to a stale IKE session.
crypto isakmp keepalive 30 periodicReferences
https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324