A DPD (Dead Peer Detection) profile provides information about the number of seconds to wait in between probes to detect if an IPSec peer is alive or not.

NSX-T Data Center provides a system-generated DPD profile, named nsx-default-l3vpn-dpd-profile, that is assigned by default when you configure an IPSec VPN service.

If you decide not to use the default DPD profile provided, you can configure your own using the following steps.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to Networking > VPN > Profiles.
  3. Select the DPD Profiles profile type, and click Add DPD Profile.
  4. Enter a name for the DPD profile.
  5. In the DPD Probe Interval text box, enter the number of seconds you want NSX-T Data Center to wait before sending the next DPD probe. The default is 60 seconds.
    If the NSX Edge node receives a response from the remote peer site, the DPD probe interval timer is restarted. If the NSX Edge node does not hear back from the peer site within 0.5 seconds after the next DPD probe is sent, a retransmission timer is set to 0.5 seconds. The NSX Edge node retransmits the next DPD probe after the retransmission timer is reached. If the remote peer site continues not to respond, the retransmission timer is exponentially increased to the maximum limit of 6 seconds. The NSX Edge node continues to retransmit the DPD probe every time the retransmission timer expires. The NSX Edge node retransmits up to a maximum of 30 times before it declares the peer site to be dead and it tears down the security association (SA) on the dead peer's link. The total time it takes to retransmit the DPD probe 30 times is about 2 minutes and 45 seconds.
  6. Provide a description and add a tag, as needed.
  7. Click Save.

Results

A new row is added to the table of available DPD profiles. To edit or delete a non-system created profile, click the three-dot menu ( ) and select from the list of actions available.