Liveness Check
If there has only been outgoing traffic on all of the SAs associated with an IKE SA,
it is essential to confirm the liveness of the other endpoint to avoid black holes.
IKEv2 gateways can perform liveness checks to prevent sending messages to a dead
peer. Receipt of a fresh cryptographically protected message on an IKE SA or any of
its child SAs ensures the liveness of the IKE SA and all of its child SAs.
IKEv2 uses a liveness check (similar to Dead Peer Detection (DPD) in IKEv1)
to determine whether a peer is still available. The liveness check option is enabled
by default. Select and Advanced Options to configure the interval (in seconds) in
the Liveness Check for the IKE gateway. Note that you can configure the
liveness check option only if you have selected IKEv2 only mode or IKEv2
preferred mode for the Version in the IKE
Gateway () configuration. If you select IKEv1 only mode
for the IKE Gateway Version, then the Advanced
Options would display IKEv1 configuration parameters such as,
Exchange mode and Dead Peer
Detection.
In IKEv2, the liveness check is achieved by any IKEv2 packet transmission or a
liveness check message that the gateway sends to the peer at a configurable
interval, 5 seconds by default. If there is no response, the sender attempts the
retransmission up to 10 times with increasing timeout (in seconds) for each retry as
follows:
5 + 10 + 20 + 40 + 60 + 60 + 60 + 60 + 60 + 60 = 7 minutes and 15 seconds
If it doesn’t get a response, the sender closes and deletes the IKE_SA and
corresponding CHILD_SAs. The sender will start over by sending out another
IKE_SA_INIT message.
After maximum retries are reached, the firewall will tear down phase 1 and phase 2
(child) SAs.
