What is the difference between "VPN Monitor" and VPN "Dead Peer Detection"?
The minimum check interval in VPN Dead Peer Detection is 10 seconds, and we want to check at least twice before the tunnel is declared dead. So this means at least (10 second interval x 2 tries) 20 seconds before an unresponsive tunnel is declared dead and OSPF changes the route (to a less desirable tunnel).
I'm looking for a way to more quickly determine when a VPN is declared "down" so OSPF can respond a lot more quickly to LEGITIMATE outages-- within a few seconds at most. Problem is, if Dead Peer Detection is set to declare death after a single missed response, we risk needlessly flapping our tunnel routes every time a single "check for up" packet is lost.
Is VPN Monitor a better choice? If pings from VPN Monitor fail, will the tunnel be declared dead more quickly-- or does the system still wait for the Dead Peer Detection to trigger?
Bottom line question-- what is the best practice for (a) discovering a dead tunnel more quickly than 10-20 seconds, (b) without needless false "dead" alarms that will trigger a route change?
Advice, please.