This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
which are the services running between that tunnel?
its seems like, related to auto-negotiation ..can u cross check the phase1 and phase 2 details
To avoid the IPsec tunnel from getting terminated due to no continuous interested traffic on FortiGate, you can configure the Dead Peer Detection (DPD) feature. DPD monitors the IPsec connection and sends a series of probe messages to the remote peer at regular intervals. If the remote peer does not respond to these probe messages, the FortiGate will assume that the remote peer is no longer available and will terminate the IPsec tunnel.
To enable DPD on FortiGate when IPsec is idle, you can use the "on-idle" option. This option allows you to configure DPD to only trigger when there is no traffic flowing over the IPsec tunnel.
#config vpn ipsec phase1-interface
edit <Tunnel Name>
set dpd on-idle
set dpd-retryinterval 20
set dpd-retrycount 3
next
end
You can even refer to below KB article for further explaination:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.