Dead peer detection (DPD) is a keepalive mechanism that enables the E-series router to detect when the connection between the router and a remote IPSec peer has been lost. DPD enables the router to reclaim resources and to optionally redirect traffic to an alternate failover destination. If DPD is not enabled, the traffic continues to be sent to the unavailable destination.
When a disconnected state is detected between the E-series router and an IPSec peer, the router:
Unlike other keepalive and heartbeat schemes, which require that peers frequently exchange Hello packets with each other at regular predetermined intervals, DPD uses two techniques to verify connectivity on an as-needed basis. In the first method, the router sends DPD inquiries to the remote peer when traffic has been sent to the peer in the last 30 seconds but no traffic has been received from the peer in the last 60 seconds. In the second method, DPD uses an idle timer. If there has been no traffic between the router and the peer for 2.5 minutes, DPD sends an inquiry to the remote end to verify that the peer is still reachable.
 |
Note: Not all IPSec connections need to verify connectivity between peers. For example, the ERX router does not use DPD to check secure remote access connections based on L2TP over IPSec, which have their own keepalive mechanism. However, the router does reply to a request from a remote peer in this type of connection. |
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |