Customer has two ISP connections at both sites. Two VPNs configured. ISP1 to ISP1 and ISP2 to ISP2. Customer wanted to lower the time it takes for the VPN to drop and the other VPN come up. One of the options I discussed with the customer was running route-based VPN and OSPF. This also has its challenges but in this article I will cover modifying the DPD settings to decrease the time for the VPN to fail-over.
config vpn ipsec phase1-interface
set dpd on-idle
set dpd-retrycount <#> <---------------- by default, this value is 3
set dpd-retryinterval <#> <------------- by default, this value is 20
Here is the explanation of the options.
dpd-retrycount How often will the DPD be attempted.
dpd-retryinterval How long is the interval in seconds after which a DPD will be attempted again.
On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the IKE process. For this reason, an option is available in the CLI to send DPD passively in a mode called "on-demand". - When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically. - IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.
By default, the customer was failing-over in 90 Seconds, by modifying the DPD settings, they customer brought down the fail-over to 20 seconds.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.