FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how the DPD (Dead Peer Detection) function works with IKEv2.
Scope
FortiGate.
Solution
FortiOS IKEv2 retransmission mechanism has a 93-second timeout period, equal to 3+6+12+24+48, representing the interval of the initial packet and four retry packets, and it's not configurable currently.
With the DPD setting disabled, FortiOS never initiates a liveness check. With DPD on-demand or on-idle, FortiOS checks the liveness per required.
If no response is received from the remote gateway, the IKEv2 retransmission is triggered.
However, it does not honor the 'Number of DPD retry attempts' and 'DPD retry interval' settings individually:
If dpd-retrycount * dpd-retryinterval (e.g. the default setting 3*20=60) is less than 93, even the IKEv2 retransmission is still used, but the failure occurs after dpd-retrycount * dpd-retryinterval seconds have elapsed.
If dpd-retrycount * dpd-retryinterval (e.g. a tuned setting 4*30=120) is greater than 93, when the IKEv2 retransmission logic reaches its end (93 seconds), the IKE SA negotiation is aborted if there's a network connectivity problem. From the IKE debug output, one INFORMATIONAL message will be visible and four RETRANSMIT_INFORMATIONAL messages, followed by 'negotiation of IKE SA failed due to retry timeout'.
