Detecting a Failure Using DPD
DPD sends periodic keepalives to its remote peer (similar to an older proprietary
Cisco IOS method called IKE Keepalives). Periodic keepalives help
routers quickly detect the failure of a remote peer, but they also mean more
packets to encrypt and decrypt. DPD has an on-demand option. If the router
needs to send traffic and has not received anything from the peer recently, it
sends a DPD message to verify the peer’s status. No messages are sent if
there is no traffic.
You can configure multiple peers in a crypto map. Then, if DPD discovers
that the primary peer (designated by the default keyword) is down, IPsec
removes any SAs associated with that peer. It can then fail over to the
backup peer listed in the crypto map. Configure the router to use DPD with
the command crypto isakmp keepalive seconds [retries] [periodic | ondemand].
The periodic option causes the router to use keepalives, whereas
the on-demand option causes it to use on-demand DPD. If neither option is
specified, the IPsec peers negotiate the type of DPD.