DPD Failures on IpSec VPN

Question

Hi

In summary between 45 Minutes to every 3 hours, every single IpSec VPN Tunnel gets torn down with a DPD-error. An example log I have included below.

General

Absolute Date/Time	2026-01-04
Last Access Time	14:45:21
VDOM	root
Log Description	IPsec DPD failed

Source

Local IP	XXXX
FortiClient ID	7D7A0CD5D9574D5AB509F5519F68B9F8
User	XXXX
Group	N/A
XAUTH User	XXXXX
XAUTH Group	FortiClient Users

Action

Action	dpd
Status	dpd_failure

Security

Level

Error

Event

Assigned IP	XXXXX
Cookies	c7e291824a726956/c9f2b20f46158b9f
Local Port	4500
Outgoing Interface	wan1
Remote IP	XXXXXX
Remote Port	64917
VPN Tunnel	Forticlient VPN_0
Message	IPsec DPD failure

Other

Log event original timestamp (µs)	1767537921187226000
eventtime_raw_value	1767537921187226120
Log ID	0101037136
Type	event
Sub Type	vpn
Alternate User	N/A
ADVPN Shortcut	0

Below is the my current configuration for IpSec VPN

Phase 1:

config vpn ipsec phase1-interface
edit "Forticlient VPN"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set monitor-min 0
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set packet-redistribution disable
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set npu-offload enable
set dhgrp 5 14 20
set suite-b disable
set wizard-type dialup-forticlient
set xauthtype auto
set reauth disable
set authusrgrp "FortiClient Users"
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set link-cost 0
set exchange-fgt-device-id disable
set ems-sn-check disable
set qkd disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set ipv4-netmask 255.255.255.255
set dns-mode auto
set ipv4-split-include "FortiClient VPN_split"
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set ip-delay-interval 0
set unity-support enable
set domain ''
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set save-password enable
set client-auto-negotiate disable
set client-keep-alive disable
set psksecret xxxxxx
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 5
set dpd-retryinterval 20
next
end

Phase 2:

config vpn ipsec phase2-interface
edit "Forticlient VPN"
set phase1name "Forticlient VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs enable
set dhgrp 5 14 20
set replay enable
set keepalive enable
set add-route phase1
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

Fortigate Firmware Version: v7.6.5

Forticlient Version: 7.4.3.1790

Forticlient Configuration

Screenshot 2026-01-04 154301.png Screenshot 2026-01-04 154336.png

If anyone has any advise or notices any misconfigurations in the configs provided please let me know.

Thanks.

Daniel__ · Answer

It is very possible that the client is not really responding to your DPD messages, and thus the Fortigate tears down the connection as it is not getting a response.

Often because the client is in a low‑power state, behind a NAT that drops UDP 4500, or the client’s own DPD settings are different)

try:

config vpn ipsec phase1-interface     edit "Forticlient VPN"         set dpd on-demand # <‑ change from on-idle         set dpd-retrycount 10         set dpd-retryinterval 30         set keepalive 30 # optional, but helps keep the tunnel alive     next end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded