There have been instances where FortiClient experiences random disconnections from the dial-up VPN.

Diagram:
User PC--------Dial up VPN ----------------port7-------FortiGate.

The IKE debug information is as follows:

ike V=root:0:ASCL-VPN_0:343765: recv IPsec SA delete, spi count 1 --> FortiGate is receiving the notification to remove the connection from the user station.

ike V=root:0:ASCL-VPN_0: deleting IPsec SA with SPI d55d2270
ike V=root:0:ASCL-VPN_0:ASCL-VPN: deleted IPsec SA with SPI d55d2270, SA count: 0
ike V=ASCL-VPN:0:ASCL-VPN:1775094: del route 10.10.50.1/255.255.255.255 tunnel 10.10.50.1 oif ASCL-VPN(54) metric 15 priority 1
ike V=root:0:ASCL-VPN_0: sending SNMP tunnel DOWN trap for ASCL-VPN
ike V=root:0:ASCL-VPN_0: remote selector down event 10.10.50.1 (devidx=54)
ike V=root:0:ASCL-VPN_0: user 'userAbc@gmail.com' 10.10.50.1 del
ike V=root:0:ASCL-VPN_0:ASCL-VPN: delete
ike V=root:0: comes 106.222.225.29:13953->192.168.15.1:4500,ifindex=15,vrf=0,len=112....

Dead Peer Detection (DPD) in VPN is a system that ensures the availability of an IKE peer in an IPsec VPN connection. It assists in identifying when a peer stops responding or becomes unavailable, enabling the VPN devices to immediately restore the connection before it expires. DPD periodically communicates with the peers to confirm their availability and preserve the stability of the VPN tunnel. DPD helps in faster failover by quickly detecting unreachable peers, allowing traffic to be rerouted without waiting for traditional timeout intervals. It reduces unnecessary tunnel downtime by proactively monitoring peer health, ensuring business-critical applications maintain continuous connectivity.

The FortiGate receives a notification to remove the connection from the user station. In such cases, disabling DPD on both the firewall and FortiClient can resolve these issues.

To disable the DPD in IPsec VPN, run the commands below:

config vpn ipsec phase1-interface
    edit <tunnel-name>
        set dpd disable

end