Decreasing Fail-Over Time for Multi-Homed VPNs using DPD

By Manny posted Jul 06, 2020 11:35 AM


Use case:

Customer has two ISP connections at both sites. Two VPNs configured. ISP1 to ISP1 and ISP2 to ISP2. Customer wanted to lower the time it takes for the VPN to drop and the other VPN come up. One of the options I discussed with the customer was running route-based VPN and OSPF.  This also has its challenges but in this article I will cover modifying the DPD settings to decrease the time for the VPN to fail-over.

config vpn ipsec phase1-interface
edit <tunnel_name>
set dpd on-idle
set dpd-retrycount <#> <---------------- by default, this value is 3
set dpd-retryinterval <#> <------------- by default, this value is 20

Here is the explanation of the options.

How often will the DPD be attempted.

How long is the interval in seconds after which a DPD will be attempted again.

On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the IKE process.
For this reason, an option is available in the CLI to send DPD passively in a mode called "on-demand".
- When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically.
- IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.

By default, the customer was failing-over in 90 Seconds, by modifying the DPD settings, they customer brought down the fail-over to 20 seconds.