Yep , I stand corrected ! *DPD addresses the shortcomings of IKE keepalives- and heartbeats- schemes by introducing a more reasonable logic governing message exchange*
On 4 January 2012 22:08, Burkhard Ott <b...@revenuewire.com> wrote: > On Wed, 4 Jan 2012 21:58:10 +0000 > Humair Ali <humair.s....@gmail.com> wrote: > > > Hi Asad > > > > it's been a while I have not been involved with Netscreen, > > > > but correct me if I am wrong but IKE Keepalive and DPD are exactly > > the same thing, > > Nope. > > http://www.ietf.org/rfc/rfc3706.txt > > > > > > As long as there is VPN traffic, the DPD will not be used, it is only > > used when it does not detect the VPN traffic and start sending hello > > message to detect the liveness of remote end (which is exactly what > > IKE keepalives do) > > > > If DPD find remote site down, stating the tunnel down should force a > > rekeying of the Phase 1 and 2 . > > Netscreen does not have DPD on by default but Cisco does, if one end > > detect it is sending DPD Hello but detects that remote end does not , > > it will bring the tunnel down, hence why enabling DPD on Netscreen > > may help. > > > Having said that the problem could be completely some other issues. > > Check if the tunnel dies if you pass huge payloads to the tunnel, I > thing you might have trouble with the MTU on your external interface. > > > > -- > Burkhard Ott > Sr. System Administrator > Revenuewire Inc. > 1205 - 4464 Markham Street > Victoria, BC V8Z 7X8 > 250-984-1132 ext. 7132 > -- Humair _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp