Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiyong
Staff
Staff

Created on ‎06-14-2023 11:39 PM Edited on ‎01-24-2025 06:42 AM By Moderator

Article Id 260424

Technical Tip: Explanation of IPsec VPN DPD Options and On-Idle tunnel flushing process

Description This article describes the operation process for IPsec VPN DPD options.
Scope FortiGate, all firmware.
Solution

DPD:

Disable: Disable Dead Peer Detection.
On-Demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

On-Idle: Trigger Dead Peer Detection when IPsec is idle.

 

Disable:

This mode is suitable in highly stable environments where DPD overhead is unwarranted.

 

On-Demand:

IKE sends DPDs only when outgoing packets are transmitted, but no incoming has been received within the last dpd-retryinterval seconds. When there is no traffic, IKE does not send any DPDs periodically.

 

On-Idle:

  1. If the configuration of Phase1 is changed to 'set dpd on-idle', a DPD request is sent if no valid ESP/IKE packet was received from the peer for the last dpd-retryinterval seconds. The tunnel will be flushed after 30 seconds, as per the DPD configuration:


set dpd-retrycount 3
set dpd-retryinterval 10


dpd-retrycount: How often will the DPD be attempted.

dpd-retryinterval: How long is the interval in seconds after which a DPD will be attempted again.

 

According to the above settings, a DPD packet is transmitted once every 10 seconds, a total of 3 times, and the flush is processed after 30 seconds.

 

     2. No traffic is passing through the tunnel, and DPD probes are sent.
     3. Eventually, after three probes are sent, the tunnel is flushed.

 

Simple topology configuration:- Local Client -> 'Local FGT' -> Router -> 'Remote FGT' -> Remote Client.

  • On-idle between both FortiGate devices, set to dpd-retrycount 3, dpd-retryinterval 10.
  • Local Client -> Remote Client (ping).
  • Remote FortiGateDevice external (line) interface DOWN.

 

Local FortiGate debugging result:


2023-03-23 22:21:46.580414 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0 <----- Remote link idle.

2023-03-23 22:21:46.588954 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1 <----- DPD retries 3 times.
2023-03-23 22:21:46.632817 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:6f1e6cd8
2023-03-23 22:21:56.600268 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0

2023-03-23 22:21:56.608507 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:56.652577 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:297e7382
2023-03-23 22:22:06.620321 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0

2023-03-23 22:22:06.629309 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1
2023-03-23 22:22:06.673193 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:8d548199
2023-03-23 22:22:16.640833 ike 0:to-remote: link fail 3 10.200.1.1->10.200.3.1:0 dpd=1
2023-03-23 22:22:16.647891 ike 0:to-remote: link down 3 10.200.1.1->10.200.3.1:500
2023-03-23 22:22:16.655489 ike 0:to-remote: deleting
2023-03-23 22:22:16.660555 ike 0:to-remote: flushing <----- Tunnel flushing.

 

Remote FortiGate debugging result:


2023-03-23 22:21:49.573716 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0 <----- Remote link idle.

2023-03-23 22:21:49.581716 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:49.625163 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:21:59.593526 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0

2023-03-23 22:21:59.601119 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:59.642669 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:22:09.613581 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0

2023-03-23 22:22:09.621271 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:22:09.668862 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:22:19.633997 ike 0:to-local: link fail 6 10.200.3.1->10.200.1.1:0 dpd=1
2023-03-23 22:22:19.641443 ike 0:to-local: link down 6 10.200.3.1->10.200.1.1:500
2023-03-23 22:22:19.648989 ike 0:to-local: deleting
2023-03-23 22:22:19.653763 ike 0:to-local: flushing <----- Tunnel flushing.

 

After the link is down, esp packets are maintained until the tunnel is flushed, but packets are not forwarded through the tunnel after flushing.


The tunnel is deleted after sending R-U-THERE (DPD) packets 3 times at 10-second intervals according to the dpd-retry count and interval settings.

 

total(30 seconds) = dpdretrycount(3 times) * dpdretryinterval(10 seconds)

 

Related article:
Technical Tip: Explanation of the DPD effect on a dialup IPsec tunnel SA lifetime

 

19505
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.