Knowledge Search


×
 

[SRX] Dead Peer Detection (DPD) behavior on SRX devices

  [KB21652] Show Article Properties


Summary:

This article provides information on Dead Peer Detection (DPD) and its behavior on SRX devices.

DPD is a method used by devices to verify the current existence and availability of IPsec peer devices. A device performs this verification by sending encrypted IKE Phase 1 notification payloads (R-U-THERE) to peers and waits for DPD acknowledgements (R-U-THERE-ACK).

 

Symptoms:

Why does DPD behave differently among different versions of Junos releases?

 

Solution:

For general DPD behavior and detail, refer to Understanding Dead Peer Detection.

DPD Optimal Mode:

  • 10.4R1 and earlier

Send DPD probes if packets were sent out (encrypted packets); but no packets were received (decrypted) for the configured interval. 

  • 10.4R3 - 11.2

Send DPD probe every configured interval; if no packets were decrypted in the interval.

  • 11.3 and Later

Send DPD probes if packets were sent out (encrypted packets); but no packets were received (decrypted) for the configured interval.

Hierarchy Level:

[edit security ike gateway gateway-name]

dead-peer-detection {
    interval seconds ;
    threshold number ;
}
 

Always-Send Mode:

  • Instructs the device to send dead peer detection (DPD) requests, regardless of whether or not there is outgoing IPsec traffic to the peer.

Hierarchy Level:

[edit security ike gateway gateway-name]

dead-peer-detection {
     always-send;
     interval seconds ;
     threshold number ;
}

 

Modification History:

2019-07-10: Correct hyperlink added for technical documentation reference for Understanding Dead Peer Detection in Solution section

 

Related Links: