New Member

Question

IPsec DPD failure on IPSEC VPN

Forum|Forum|9 years ago
March 6, 2017
1 reply
22294 views

Hello.

I would like to have help about the "famous" DPD_failure on IPSEC VPN.

I have 2 Firewall fortigate. One in Italy (IT) and one in Germany (DE).

In Italy I have 2 HDSL internet interfaces.

Also in Germany (DE) I have 2 internet interfaces, but while one is a HDSL , the other one is a ADSL with a public IP.

So, we have 4 IPSEC VPN configured.

Only one is up and running ( the others are ready if the first one will have problem).

Every days, I usually receive many messages IPsecPDPfailure likes:

Message meets Alert condition

date=2017-03-03 time=15:52:31 devname=PSE-GERMANY devid=FGT60C3G11037662 logid=0101037136 type=event subtype=vpn level=error msg="IPsec DPD failure" action=dpd remip=81.174.28.218 locip=10.1.2.2 remport=4500 locport=4500 outintf="wan2" cookies="...........c12..." user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="DE1_IT2_PH1" status=dpd_failure

As you can see below , most oth the messages are between one session( 81.174.28.218 in Itlay with 10.1.2.2 in Germany).

The 10.1.2.2 is in Germany ( ADSL that have a public ip 217.92.59.71)

The 81.174.28.218 is a NEW HDSL here in Italy, I have just implemented these days.

How can I understand if I have problem with my new HDSL here in Italy?

Or could be the problem related to the ADSL in Germany?

Why the other 3 sessions seems to have little DPD problems?

Many thanks in advance for your help.

Pierluigi

Here the sequence of the messages:

VPN IPSEC.JPG

ede_pfau

SuperUser

Hi,

ADSL lines in Germany are brought down once every 24 hours on purpose, at least with German Telekom. As ADSL is targeted and marketed as a broadband medium for private persons this is meant to defeat the use of these lines for servers - the customer will be assigned a new public IP every 24 hours.

So your logs only show that the VPN was established between an ADSL line and a HDSL line (without forced disconnections). If you set up all parameters correctly the tunnel will be reestablished within seconds.

To make your VPNs fully and automatically redundant, you may already have set the 'monitor-phase1' parameter in the backup VPN setup. Given a name of the main VPN FortiOS will monitor it for failures and yank the backup VPN up in that case.

PierluigiAuthor

New Member

Hi Ede,

Thanks for your help.

I didn't know in Germany they brought down VPN on purpose. That's ok no problem.

I know I have one of the interface that is an ADSL and this kind of line is not well suitable for business ( but this is just a backup of the HDSL line we have in Germany and for this ADSL we have a STATIC public IP assigned, so no problem about IP change ).

You are right, the VPN is re-established within seconds.

And to make our VPNs fully and automatically redundant we are using different "Distance" value in the Static Routes configuration (and it is working well).

Now:

This VPN between 81.174.28.218 ( one of the 2 HDSL in Italy) and 10.1.2.2 ( Germany ADSL that have a public STATIC ip 217.92.59.71), is just the 4th IPSEC VPNs we have and the least important.

Infact, we are going to use this only in case the others 3 will have a problem.

And my little problem rise here.

Why, in the others 3 IPSEC VPN, I don't see so many "IPsec DPD failure" messages.

I was thinking, maybe it is the new HDSL we just installed here in Italy that can have some problems ...

but at the same time this new HDSL (81.174.28.218) having 2 VPNs :

81.174.28.218 --- VPN ---- HDSL Germany ( 193.158.81.250)

81.174.28.218 --- VPN ---- ADSL Germany ( Static Public IP 217.92.59.71 that is 10.1.2.2 Interface IP)

and only this last one have so many "IPsec DPD failure" messages.

What do you think?

Pierluigi

Armando_Gomez_Barrio

New Member

Hi,

Managed to solve the problem of "ipsec dpd failure"

I have the some problem

Regards,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded