- If a dead IKE peer is detected then the IKE SA and IPSec SA to that peer is torn down.
- DPD has 2 modes of function:
A) Defualt setting - where a DPD hello is sent every 10 seconds (unless the router receives a hello
message from the peer first) but does lead to increased network activity from all the hellos.
b) On demand - the router sends a DPD hello packet in advance of sending some data. This option reduces uncessary network traffic but could result in you only finding out there is a network issue when data needs to be sent, not prior.
- Implemented using -
#crypto isakmp keepalives [frequency] [retries] [periodic | on-demand]-
where frequency = number of seconds between DPD messages
retries = number of seconds between DPD retries id the DPD message fails
periodic = DPD messages are sent at regular intervals
on-demand = DPD retries are sent on demand - this is default behaviour.
E.g - #crypto isakmp keepalives 10 3 periodic
By implementiung this you can then specifiy a second remote peer within your IPsexc crypto map to establish your SA:
for example - #crypto map TEST 10 ispec-isakmp
# set peer 172.31.1.100 default
# set peer 172.31.1.200
The Default option indicates that this should be used first to establish an SA, the second peer is used if the first remote peer is detected to be dead.