Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1981
Views
10
Helpful
5
Replies

Role of vendor id in DPD (Dead peer detection)

Go to solution
GeetanshBhardwaj15367
Level 1
Level 1

‎02-21-2021 09:17 AM

Hi,

 

Could anyone please tell me the use if the Vendor id sent in Main mode Message 3, why it is related to Dead peer detection (DPD). I have read somewhere to disable DPD if establishing IPSEC tunnel between 2 different vendor devices.

 

Is it something related to the capability of each device or DPD is only supported by cisco as it is a Cisco proprietary?

 

Thank you in Advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-21-2021 11:22 AM

@GeetanshBhardwaj15367 

Each vendor must send the Vendor ID if it wished to participate in DPD.

 

IPSLA is usually used in a Policy Based VPN to keep the tunnel up, in the event no interesting traffic was sent over the tunnel. IPSA is also used with VPNs to failover to a different ISP for a backup VPN.

 

DPD is used and is enabled as default on Cisco ASA, to detect if the tunnel is up or down. It sends a message and expects a response, if no response it assumes the peer is dead and deletes the IPSec and IKE SAs. You can then (optionally) failover to a backup VPN quickly, by specifying a secondary peer in the crypto map configuration.

 

IPSLA does not delete the SAs. Use DPD to detect failover and if required use IPSLA to keep the tunnel up.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎02-21-2021 09:31 AM

Dpd is use for ipsec as keepalive message 

now how two peer know that other peer support or not support dpd ?

the two peer exchange vendor I’d = dpd to make other peer know that I will use dpd.

vender I’d is only claim about dpd it not dpd.

Go to solution
GeetanshBhardwaj15367
Level 1
Level 1
In response to MHM Cisco World

‎02-21-2021 10:01 AM

Thank you so much for your response, much appreciated.

 

I get that now, so DPD is independent of Vendor, if the tunnel is created between 2 different vendors (Let's say Cisco and Juniper), DPD could still be used as a tunnel monitoring protocol.

 

One last question, IPSLA and DPD are 2 different ways of monitoring the tunnel, right?

 

If I configure IPSLA inside a crypto policy for a regular interval, let's say to initiate a ping for the remote end IP over IPSEC tunnel after every 10 seconds to see if we are getting ICMP response, if not we will mark the tunnel as down and will fallback to secondary.

 

Just wanted to know, if we do not use DPD, IPSLA can be used as an alternate as DPD is working in ISKMP notify message.

 

Thank you!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to GeetanshBhardwaj15367

‎02-21-2021 11:33 AM

simply IPSLA depend on Routing table to select the path so if the IPSec tunnel down it can send via other path.
DPD use only and only IPSec tunnel if the tunnel is down in one Peer then DPD never more exchange and other Peer detect that.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎02-21-2021 11:22 AM

@GeetanshBhardwaj15367 

Each vendor must send the Vendor ID if it wished to participate in DPD.

 

IPSLA is usually used in a Policy Based VPN to keep the tunnel up, in the event no interesting traffic was sent over the tunnel. IPSA is also used with VPNs to failover to a different ISP for a backup VPN.

 

DPD is used and is enabled as default on Cisco ASA, to detect if the tunnel is up or down. It sends a message and expects a response, if no response it assumes the peer is dead and deletes the IPSec and IKE SAs. You can then (optionally) failover to a backup VPN quickly, by specifying a secondary peer in the crypto map configuration.

 

IPSLA does not delete the SAs. Use DPD to detect failover and if required use IPSLA to keep the tunnel up.

Go to solution
GeetanshBhardwaj15367
Level 1
Level 1
In response to Rob Ingram

‎02-21-2021 08:41 PM

Thank you @Rob Ingram, this answered the query.

0 Helpful
Customers Also Viewed These Support Documents