|
DPD options can be found in the GUI section:
DPD modes on FortiGate:
- On-Demand.
- On-Idle.
- Disable.
This mode is suitable in highly stable environments where DPD overhead is unwarranted. In this mode, FortiGate does not generate any DPD messages actively; however, it will respond to any incoming DPD message from the other peer of the IPsec tunnel (for example, FortiClient DPD messages).
IKE sends DPDs only when outgoing packets are transmitted, but no incoming packets have been received within the last dpd-retryinterval seconds. When there is no traffic, IKE does not send any DPDs periodically. On-demand mode is best for environments where traffic patterns are unpredictable, and an immediate response to connectivity issues is crucial.
On-Demand is the default setting.
Trigger Dead Peer Detection when IPsec is idle. On-idle mode is best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
- If the configuration of Phase1 is changed to 'set dpd on-idle', a DPD request is sent if no valid ESP/IKE packet was received from the peer for the last dpd-retryinterval seconds. The tunnel will be flushed after 30 seconds, as per the DPD configuration:
set dpd-retrycount 3
set dpd-retryinterval 10
dpd-retrycount: How often will the DPD be attempted.
dpd-retryinterval: How long is the interval in seconds after which a DPD will be attempted again.
According to the above settings, a DPD packet is transmitted once every 10 seconds, a total of 3 times, and the flush is processed after 30 seconds.
2. No traffic is passing through the tunnel, and DPD probes are sent.
3. Eventually, after three probes are sent, the tunnel is flushed.
Simple topology configuration: Local Client -> 'Local FGT' -> Router -> 'Remote FGT' -> Remote Client.
- On-idle between both FortiGate devices, set to dpd-retrycount 3, dpd-retryinterval 10.
- Local Client -> Remote Client (ping).
- Remote FortiGateDevice external (line) interface DOWN.
Local FortiGate debugging result:
2023-03-23 22:21:46.580414 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0 <----- Remote link idle.
2023-03-23 22:21:46.588954 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1 <----- DPD retries 3 times.
2023-03-23 22:21:46.632817 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:6f1e6cd8
2023-03-23 22:21:56.600268 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0
2023-03-23 22:21:56.608507 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:56.652577 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:297e7382
2023-03-23 22:22:06.620321 ike 0:to-remote: link is idle 3 10.200.1.1->10.200.3.1:0 dpd=1 seqno=1 rr=0
2023-03-23 22:22:06.629309 ike 0:to-remote:4: send IKEv1 DPD probe, seqno 1
2023-03-23 22:22:06.673193 ike 0:to-remote:4: sent IKE msg (R-U-THERE): 10.200.1.1:500->10.200.3.1:500, len=108, vrf=0, id=68e3f84cd1a22400/5139d4ece62a1e3e:8d548199
2023-03-23 22:22:16.640833 ike 0:to-remote: link fail 3 10.200.1.1->10.200.3.1:0 dpd=1
2023-03-23 22:22:16.647891 ike 0:to-remote: link down 3 10.200.1.1->10.200.3.1:500
2023-03-23 22:22:16.655489 ike 0:to-remote: deleting
2023-03-23 22:22:16.660555 ike 0:to-remote: flushing <----- Tunnel flushing.
Remote FortiGate debugging result:
2023-03-23 22:21:49.573716 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0 <----- Remote link idle.
2023-03-23 22:21:49.581716 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:49.625163 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:21:59.593526 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0
2023-03-23 22:21:59.601119 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:21:59.642669 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:22:09.613581 ike 0:to-local: link is idle 6 10.200.3.1->10.200.1.1:0 dpd=1 seqno=1 rr=0
2023-03-23 22:22:09.621271 ike 0:to-local:2: send IKEv1 DPD probe, seqno 1
2023-03-23 22:22:09.668862 ike 0:to-local:2: could not send IKE Packet(R-U-THERE):10.200.3.1:500->10.200.1.1:500, len=108 vrf=0: error 101:Network is unreachable
2023-03-23 22:22:19.633997 ike 0:to-local: link fail 6 10.200.3.1->10.200.1.1:0 dpd=1
2023-03-23 22:22:19.641443 ike 0:to-local: link down 6 10.200.3.1->10.200.1.1:500
2023-03-23 22:22:19.648989 ike 0:to-local: deleting
2023-03-23 22:22:19.653763 ike 0:to-local: flushing <----- Tunnel flushing.
After the link is down, ESP packets are maintained until the tunnel is flushed, but packets are not forwarded through the tunnel after flushing.
The tunnel is deleted after sending R-U-THERE (DPD) packets 3 times at 10-second intervals according to the dpd-retry count and interval settings.
total(30 seconds) = dpdretrycount(3 times) * dpdretryinterval(10 seconds)
Related article:
Technical Tip: Explanation of the DPD effect on a dialup IPsec tunnel SA lifetime
|
