Amer Networks E5Web GUI User Manual

Default: Inline

Disable Public-Key Hardware Acceleration

This option would only be enabled for troubleshooting and diagnostic purposes. In normal
operation, any available acceleration should never be disabled.

Default: No

DPD Metric

The amount of time in tens of seconds that the peer is considered to be alive (reachable) since
the last received IKE message. This means that no DPD messages for checking aliveness of the
peer will be sent during this time even though no packets from the peer have been received
during this time.

In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other
sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of
life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no
DPD-R-U-THERE messages will be sent.

For example, if the other side of the tunnel has not sent any ESP packets for a long period but at
least one IKE-packet has been seen within the last (10 x the configured value) seconds, then cOS
Core will not send more DPD-R-U-THERE messages to the other side.

Default: 3 (in other words, 3 x 10 = 30 seconds)

DPD Keep Time

The amount of time in tens of seconds that a peer is assumed to be dead after cOS Core has
detected it to be so. While the peer is considered dead, cOS Core will not try to re-negotiate the
tunnel or send DPD messages to the peer. However, the peer will not be considered dead any
more as soon as a packet from it is received.

A more detailed explanation for this setting is that it is the amount of time in tens of seconds that
an SA will remain in the dead cache after a delete. An SA is put in the dead cache when the other
side of the tunnel has not responded to DPD-R-U-THERE messages for DPD Expire Time x 10
seconds and there is no other evidence of life. When the SA is placed in the dead cache, cOS Core
will not try to re-negotiate the tunnel. If traffic that is associated with the SA that is in the dead
cache is received, the SA will be removed from the dead cache. DPD will not trigger if the SA is
already cached as dead.

This setting is used with IKEv1 only.

Default: 2 (in other words, 2 x 10 = 20 seconds)

DPD Expire Time

The length of time in seconds for which DPD messages will be sent to the peer. If the peer has
not responded to messages during this time it is considered to be dead.

In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be
sent. If the other side of the tunnel has not sent a response to any messages then it is considered
to be dead (not reachable). The SA will then be placed in the dead cache.

This setting is used with IKEv1 only.

Chapter 9: VPN

617