1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. Configure Dead Peer Detection

Configure Dead Peer Detection

Dead Peer Detection is enabled by setting the dpd-time-interval parameter to a non-zero value. DPD exchanges are asynchronous, consisting of a simple R-U-THERE and an ACK.

  1. Access the dpd-params configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# dpd-params
ORACLE(dpd-params)#
  2. name—Provide a unique identifier for this 
dpd-params instance. 
    ORACLE(dpd-params)# name ikeDPD
  3. max-loop—Specify the maximum number DPD peers whose liveliness is examined every dpd-interval period.

    Periodic liveliness is tested by the Oracle Communications Session Border Controller issuing an R-U-THERE message to each peer in the current group. If the peer acknowledges receipt of the message, it is confirmed as alive. If the peer fails to respond, its status is determined by the max-retrans and max-attempts parameter values.

    • Min: 1
    • Max: 999999999
  4. max-retrans—Specify the maximum number of times that the OCSBC, acting as a DPD initiator, retransmits an unacknowledged R-U-THERE message while performing periodic liveliness tests.
    The default is 3.
    • Min: 1
    • Max: 4
  5. max-attempts—Specify the number of failed liveliness tests required to declare a peer as dead and take down the IKE tunnel.
    The default is 1.
    • Min: 1
    • Max: 4
  6. max-endpoints—Specify the maximum number of simultaneous DPD protocol negotiations supported when the CPU is not under load, as specified by max-cpu-limit.
    The default is 25.
    • Min: 1
    • Max: 15000

    If CPU workload surpasses the threshold set by max-cpu-limit, this value is over-ridden by load-max-endpoints.

  7. max-cpu-limit—Specify a threshold value (expressed as a percentage of CPU capacity) at which DPD protocol operations are minimized to conserve CPU resources.
    The default is 60.
    • Min: 0
    • Max: 100
  8. load-max-loop—Specify the maximum number of endpoints examined every dpd-time-interval when the CPU is under load, as specified by max-cpu-limit.
    The default is 40.
    • Min: 1
    • Max: 999999999

    Ensure that the configured value is less than the value assigned to max-loop.

  9. load-max-endpoints—Specify the maximum number of simultaneous DPD Protocol negotiations supported when the CPU is under load, as specified by max-cpu-limit.
    The default is 5.
    • Min: 1
    • Max: 15000

    Ensure that the configured value is less than the value assigned to max-endpoints.

  10. Type done to save your configuration.
  11. If necessary, configure additional dpd-params configuration elements.
  12. Access the ike-interface configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-interface
ORACLE(ike-interface)#
  13. dpd-params-name—Enable Dead Peer Detection on this IKEv2 interface. 
    ORACLE(ike-interface)# dpd-params-name ikeDPD
  14. Type done to save your configuration.