The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPsec Dead Peer Detection Periodic Message Option feature is used to configure the router to query the liveliness of its Internet Key Exchange (IKE) peer at regular intervals. The benefit of this approach over the default approach (on-demand dead peer detection) is earlier detection of dead peers.
 Note |
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper. |
Before configuring the IPsec Dead Peer Detection Periodic Message Option feature, you should have the following:
Familiarity with configuring IP Security (IPsec).
Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better response time when compared to on-demand DPD. However, use of periodic DPD incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using on-demand DPD instead.
To configure a periodic DPD message, perform the following steps.
| Command or Action | Purpose | |||||||
|---|---|---|---|---|---|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||||||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||||||
| Step 3 |
crypto isakmp keepalive seconds [retry-seconds ] [periodic | on-demand ] Example: |
Allows the gateway to send DPD messages to the peer.
When the on-demand keyword is used, this argument is the number of seconds during which traffic is not received from the peer before DPD retry messages are sent if there is data (IPSec) traffic to send; the range is from 10 to 3600 seconds.
Once 1 DPD message is missed by the peer, the router moves to a more aggressive state and sends the DPD retry message at the faster retry interval, which is the number of seconds between DPD retries if the DPD message is missed by the peer. The default DPD retry message is sent every 2 seconds. Five aggressive DPD retry messages can be missed before the tunnel is marked as down.
|
DPD allows the router to clear the IKE state when a peer becomes unreachable. If DPD is enabled and the peer is unreachable for some time, you can use the clear crypto session command to manually clear IKE and IPsec SAs.
The debug crypto isakmp command can be used to verify that DPD is enabled.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
clear crypto session [local ip-address [port local-port ]] [remote ip-address [port remote-port ]] | [fvrf vrf-name ] [ivrf vrf-name ] Example: |
Deletes crypto sessions (IPsec and IKE SAs). |
| Step 3 |
debug crypto isakmp Example: |
Displays messages about IKE events. |
The following configurations are for a site-to-site setup with periodic DPD enabled. The configurations are for the IKE Phase 1 policy and for the IKE preshared key.
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
!
crypto isakmp key kd94j1ksldz address 10.2.80.209 255.255.255.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set Trans1 esp-aes esp-sha-hmac
!
!
interface
ip address 10.1.32.14 255.255.255.0
speed auto
!|
Related Topic |
Document Title |
|---|---|
|
Configuring IPsec |
Configuring Security for VPNs with IPsec |
|
IPsec commands |
Cisco IOS Security Command Reference |
|
Standards |
Title |
|---|---|
|
None |
-- |
|
MIBs |
MIBs Link |
|---|---|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
RFCs |
Title |
|---|---|
|
DPD conforms to the Internet draft “draft-ietf-ipsec-dpd-04.txt,” which is pending publication as an Informational RFC (a number has not yet been assigned). |
-- |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feedback