IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Dead Peer Detection
This mechanism periodically checks the status of IKE tunnels by exchanging encrypted messages. If a peer does not respond to requests sent by its counterpart, it will be considered unreachable, and the sender will then shut down the IKE as well as related IPsec tunnels on its side. There are several ways to use this mechanism:
-
In inactive mode, the firewall does not monitor the status of the peer and does not reply if it is contacted,
-
In passive mode, the firewall does not monitor the status of the peer but replies if it is contacted,
-
In high and low modes, the firewall monitors the status of the peer and replies if it is contacted. In high mode, requests will be sent more frequently than in low mode.
R47 | Enable Dead Peer Detection
In an IPsec VPN, Dead Peer Detection should be implemented in high or low mode.
R47 ⁃ | Use passive DPD mode
If it is not known whether Dead Peer Detection is implemented on the remote endpoint, passive mode is recommended, making it possible to reply if a DPD request is received.