Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

IPsec tunnel timeout problem

Hi,

I have an ipsec tunnel to a meraki MX and users behind the MX are complaining sometime that they cannot reach the resources back behind the fortigate. We solve this immediately by doing a ping from one of the servers behind the fortigate to the local network behind the MX. So basically if we have a continuosely ping the users will never experience connection problem, but without it the tunnel seems to go down. I have recreated the tunnel, I have enabled auto-negotiate but still the same issue. 

Has anyone had this problem before?

BR Nik
2 REPLIES 2
IT_Ahan2
New Contributor III

which are the services running between that tunnel? 

 

its seems like, related to auto-negotiation ..can u cross check the phase1 and phase 2 details 

akileshc
Staff
Staff

To avoid the IPsec tunnel from getting terminated due to no continuous interested traffic on FortiGate, you can configure the Dead Peer Detection (DPD) feature. DPD monitors the IPsec connection and sends a series of probe messages to the remote peer at regular intervals. If the remote peer does not respond to these probe messages, the FortiGate will assume that the remote peer is no longer available and will terminate the IPsec tunnel.

 

To enable DPD on FortiGate when IPsec is idle, you can use the "on-idle" option. This option allows you to configure DPD to only trigger when there is no traffic flowing over the IPsec tunnel.


#config vpn ipsec phase1-interface
    edit <Tunnel Name>
         set dpd on-idle 
         set dpd-retryinterval 20
         set dpd-retrycount 3
     next
end

You can even refer to below KB article for further explaination:

++ https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...

 

 

Akilesh