Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dead Peer Detection (DPD) behavior on SRX devices

0

0

Article ID: KB21652 KB Last Updated: 10 Jul 2019Version: 6.0
Summary:

This article provides information on Dead Peer Detection (DPD) and its behavior on SRX devices.

DPD is a method used by devices to verify the current existence and availability of IPsec peer devices. A device performs this verification by sending encrypted IKE Phase 1 notification payloads (R-U-THERE) to peers and waits for DPD acknowledgements (R-U-THERE-ACK).

 

Symptoms:

Why does DPD behave differently among different versions of Junos releases?

 

Solution:

For general DPD behavior and detail, refer to Understanding Dead Peer Detection.

DPD Optimal Mode:

  • 10.4R1 and earlier

Send DPD probes if packets were sent out (encrypted packets); but no packets were received (decrypted) for the configured interval. 

  • 10.4R3 - 11.2

Send DPD probe every configured interval; if no packets were decrypted in the interval.

  • 11.3 and Later

Send DPD probes if packets were sent out (encrypted packets); but no packets were received (decrypted) for the configured interval.

Hierarchy Level:

[edit security ike gateway gateway-name]

dead-peer-detection {
    interval seconds ;
    threshold number ;
}
 

Always-Send Mode:

  • Instructs the device to send dead peer detection (DPD) requests, regardless of whether or not there is outgoing IPsec traffic to the peer.

Hierarchy Level:

[edit security ike gateway gateway-name]

dead-peer-detection {
     always-send;
     interval seconds ;
     threshold number ;
}

 

Modification History:

2019-07-10: Correct hyperlink added for technical documentation reference for Understanding Dead Peer Detection in Solution section

 

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search