Confi gure > ipsec > dpd 4.43 – Westermo MR Series User Manual

134

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > DPD

4.43

When an IPSec tunnel is not receiving packets, the unit will send an IKE DPD request at regular
inter vals. If no response is received to the DPD request, more requests are sent at a shorter inter-
val until either the maximum outstanding requests allowed is reached or a response is received. If
no response is received to the configured maximum requests, the IPSec SAs are removed.

Note:
IKE DPD requests require that an IKE SA is present. If one is not present, the DPD request will
fail.

To help ensure that an IKE SA exists with a lifetime at least as great as the IPSec lifetime, the unit
creates new IKE SAs whenever the desire IPSec SA lifetime exceeds the lifetime of an existing IKE
SA, and attempts to negotiate a lifetime for the IKE SA that is 60 seconds longer than the desired
life time of the IPSec SA.

Using the Web Page(s)

Request interval on healthy link:

This parameter defines the interval at which DPD requests on a link that is deemed to be
healthy.

Request interval on suspect link:

This parameter defines the interval at which DPD requests on a link that is deemed to be sus-
pect.

Tunnel inactivity timer (s):

This parameter defines the period of time for inactivity on a tunnel before it is deemed to be
sus pect, i.e. if there is no activity on a healthy link for the time period defined in this parameter,
the link is then deemed to be suspect.

Remove IPsec SAs after this many failed DPD requests:

This parameter defines the maximum number of DPD requests that will be sent without receiv-
ing a response before the IPSec SAs are removed.