273To configure the IKE NAT keepalive function:Step Command Remarks1. Enter system view. system-view N/A2. Set the IKE NAT keepaliveinterval. ike nat-keepalive seconds The default interval is 20 seconds.Configuring IKE DPDDPD detects dead peers. It can operate in periodic mode or on-demand mode.• Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of deadpeers, but consumes more bandwidth and CPU.• On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to send andis not aware of the liveness of the peer, it sends a DPD message to query the status of the peer. If thedevice has no traffic to send, it never sends DPD messages. This mode is recommended.The IKE DPD works as follows:1. The local device sends a DPD message to the peer, and waits for a response from the peer.2. If the peer does not respond within the retry interval specified by the retry seconds parameter, thelocal device resends the message.3. If still no response is received within the retry interval, the local send the DPD message again. Thesystem allows a maximum of two retries.4. If the local device receives no response after two retries, the device considers the peer is dead, anddeletes the IKE SA along with the IPsec SAs it negotiated.5. If the local device receives a response from the peer during the detection process, the peer isconsidered alive. The local device performs a DPD detection again when the triggering interval isreached or it has traffic to send, depending on the DPD mode.Follow these guidelines when you configure the IKE DPD function:• When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKEprofile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.• It is a good practice to set the triggering interval longer than the retry interval so that a DPDdetection is not triggered during a DPD retry.To configure IKE DPD:Step Command Remarks1. Enter system view. system-view N/A2. Enable sending IKE DPDmessages.ike dpd interval interval-seconds[ retry seconds ] { on-demand |periodic }By default, IKE DPD is disabled.Enabling invalid SPI recoveryAn IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs).One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for