The differences and relations between IKE SA “keepalive” and IKE DPD command

Publication Date:  2012-11-14 Views:  1356 Downloads:  0
Issue Description
IKE SA keepalive and IKE DPD command have the same effect, which is used to detect the keep-alive state of IPSEC peer end equipment IKE SA, synchronous update local end IKE SA, is used to solve the following scene which needs to manually reset end IPSEC SA problem:
1, IPSEC both ends IPSEC and IKE SA configuration is not consistent, one end IKE SA expired and has been removed, the other end IKE SA was still in the keep-alive condition, led to the subsequent new IKE SA can’t be established.
2, both ends IPSEC IKE SA configuration is consistent, but one end equipment power outage or abnormal restarted, leading to the other end IKE SA was still in the keep-alive condition, led to the subsequent new IKE SA can’t be established.
Alarm Information
None.
Handling Process
In order to solve the problem that keep-alive states of IPSEC both ends IPSEC IKE SA are the same, can through configuring IKE SA keepalive and IKE DPD, configuration is as follows:
IKE SA keepalive configuration:
ike sa keepalive-timer interval 30
ike sa keepalive-timer timeout 90
IKE DPD configuration:

ike dpd on-demand 30 5
IKE SA keepalive and IKE DPD configuration have the same function, can configure IKE SA keepalive and IKE DPD at the same time or one kind of them, recommend configure IKE DPD, “ike dpd” and “ike sa keepalive-timer interval” commands are used to detect whether the peer end equipment of the tunnel works properly, the difference is “ike dpd” command more saves bandwidth, this command only sent detection message before message has been sent or there is no message in tunnel, not periodically send test message.
Root Cause
The state of IPSEC IKE SA both ends is inconsistent, leading to the new IPSEC SA can't be established, must manually reset the IPSEC IKE SA of one end.
Suggestions
1, all IPSEC configuration are suggested to add IKE DPD or IKE SA keepalive. Part of the old version firewall only has IKE SA keepalive command.
2, IKE SA keepalive and IKE DPD configuration must be paired the same configuration, only configure one end or parameter configuration is not consistent still need to manually reset SA.

END