Skip to main content
mda
mda
New Member
November 21, 2019
Solved

[6.0.6] dpd-retrycount option missing

  • November 21, 2019
  • 1 reply
  • 3760 views

Hi All,

 

I have configured a redundant site to site IPSEC VPN between 2 FGT E units, both running 6.0.6.

 

Basically, setup is as follows:

 

Tunnel 1 - Site A ISP1 to Site B ISP1

Tunnel 2 - Site A ISP2 to site B ISP1

 

To allow failover, administrative distance is set to 10 for each static route, and a priority is set to allow for an organized prioritization of tunnels.

 

When this was originally set up in FortiOS 5.4, I used the following commands to customize the failover settings:

 

dpd-retrycount 3

dpd-retryinterval 3

 

REFERENCE ONLY: Please see this forum post made back in 2017 that helped me with that issue (thanks to neonbit and Mike for all the help - settings pretty much working up until today!)

 

However, when trying to set up a new site, using the command

dpd-retrycount 3

will not error out but it will not show up in the configuration. Furthermore, the failover does not work properly unless I purposely add

dpd on-idle

(which is supposedly a default setting).

dpd-retryinterval seems to be added to the config properly, however.

 

What should I be doing now to get back dpd retrycount? Or is there a new command that has superseded this?

 

Thank you!

Best answer by Toshi_Esumi

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase1-interface+phase1.htm%3FTocPath%3Dvpn%7C_____10

                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.

1 reply

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
November 21, 2019

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase1-interface+phase1.htm%3FTocPath%3Dvpn%7C_____10

                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.
mda
mdaAuthor
New Member
November 21, 2019

Thank you for the info! I knew I just read somewhere that on-idle was default :|

 

Yes, I can confirm - set retrycount to 2 and the number changed.

 

I just didn't bother trying this since an old config listed the dpd-retrycount to 3 and was clearly shown in the 'show'.

 

Thanks again Toshi!

Terms & ConditionsAccessibility statement