Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Created on ‎10-10-2022 11:47 PM

IPsec tunnel timeout problem

Hi,

I have an ipsec tunnel to a meraki MX and users behind the MX are complaining sometime that they cannot reach the resources back behind the fortigate. We solve this immediately by doing a ping from one of the servers behind the fortigate to the local network behind the MX. So basically if we have a continuosely ping the users will never experience connection problem, but without it the tunnel seems to go down. I have recreated the tunnel, I have enabled auto-negotiate but still the same issue. 

Has anyone had this problem before?

BR Nik
Labels:
3192
0 Kudos
2 REPLIES 2
IT_Ahan2
New Contributor III

Created on ‎12-26-2022 08:39 PM

which are the services running between that tunnel? 

 

its seems like, related to auto-negotiation ..can u cross check the phase1 and phase 2 details 

3174
0 Kudos
akileshc
Staff
Staff

Created on ‎02-23-2023 02:59 AM

To avoid the IPsec tunnel from getting terminated due to no continuous interested traffic on FortiGate, you can configure the Dead Peer Detection (DPD) feature. DPD monitors the IPsec connection and sends a series of probe messages to the remote peer at regular intervals. If the remote peer does not respond to these probe messages, the FortiGate will assume that the remote peer is no longer available and will terminate the IPsec tunnel.

 

To enable DPD on FortiGate when IPsec is idle, you can use the "on-idle" option. This option allows you to configure DPD to only trigger when there is no traffic flowing over the IPsec tunnel.


#config vpn ipsec phase1-interface
    edit <Tunnel Name>
         set dpd on-idle 
         set dpd-retryinterval 20
         set dpd-retrycount 3
     next
end

You can even refer to below KB article for further explaination:

++ https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...

 

 

Akilesh
3097
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.