Enable IKE DPD
DPD allows two IPSec peers to determine that the other is still “alive” during the lifetime of
the VPN connection. In many situations, the one peer may reboot or the link may be
unexpectedly disconnected for some other reason. The other peer may not quickly detect that
the connection has been terminated. DPD enables an IPSec peer to send notification of the
disconnection to the user, attempt to switch to another IPSec host, or clean up valuable
resources that were allocated to a peer that is no longer connected.
A Cisco VPN device can be configured to send and reply to DPD messages. DPD messages
are sent when no other traffic is traversing the IPSec tunnel. If a configured amount of time
passes without a reply to a DPD message, a dead peer can be detected. DPD messages are
unidirectional and are automatically sent by Cisco VPN Clients. DPD is configured on the
server only if the server wishes to send DPD messages to VPN Clients to assess their health.
You use the isakmp keepalive command to enable the Security Appliance gateway to send
IKE DPD messages. You need to specify the number of seconds between DPD messages and
the number of seconds between retries (if a DPD message does not receive a response). The
syntax for this command is as follows:
isakmp keepalive seconds [retry_seconds]