Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GW
Staff
Staff

Created on ‎01-19-2024 04:48 AM Edited on ‎07-09-2025 01:34 PM By Moderator

Article Id 294932

Technical Tip: IKEv2 retransmission and DPD

Description This article describes how the DPD (Dead Peer Detection) function works with IKEv2.
Scope FortiGate
Solution

FortiOS IKEv2 retransmission mechanism has a 93-second timeout period, equal to 3+6+12+24+48, representing the interval of the initial packet and four retry packets. This timeout is not configurable.

 

IKEv2 does not use DPD messages, instead it uses empty IKE informational messages as described in RFC 7296: IKEv2.

FortiOS retransmits unacknowledged IKE Messages a total of 4 times, doubling the interval it will wait for acknowledgement each time to be consistent with the RFC.
If no acknowledgement is received after the final 48 second interval, FortiGate brings down the tunnel.


This generates the following log in IKE diagnostics:

 

diagnose debug console timestamp enable

diagnose debug application ike -1
diagnose debug enable

<additional logs omitted>

2025-07-08 13:04:39.713739 ike V=root:0:To HQ:2977: 04a371294377bd02/69d721d0598ca258 retransmission timeout
2025-07-08 13:04:39.713838 ike V=root:0:To HQ:2977: expiring IKE SA 04a371294377bd02/69d721d0598ca258
2025-07-08 13:04:39.713877 ike V=root:0:To HQ: going to be deleted
2025-07-08 13:04:39.714002 ike V=root:0:To HQ: flushing
2025-07-08 13:04:39.714119 ike V=root:0:To HQ: deleting IPsec SA with SPI 36eb56f5

 

With DPD on-demand or on-idle, FortiOS checks the liveness as required. With the DPD setting disabled, FortiOS never initiates a liveness check. However, retransmission timeout is also triggered if other IKE messages are never acknowledged, such as CREATE_CHILD to create a phase2 IPsec association. For this reason, an IKEv2 tunnel may be brought down if IKE messages are never acknowledged, even if DPD is disabled in phase1-interface configuration.

 
To view the DPD settings in the GUI, visit VPN -> IPsec Tunnels -> Select the VPN tunnel -> Edit tunnel -> Network.

Capture.png

 

If no response is received from the remote gateway, IKEv2 retransmission is triggered. However, it does not honor the 'Number of DPD retry attempts' and 'DPD retry interval' settings individually:

 

  • If dpd-retrycount * dpd-retryinterval (e.g. the default setting 3*20=60) is less than 93, IKEv2 retransmission is still used, but the failure occurs after dpd-retrycount * dpd-retryinterval seconds have elapsed.
  • If dpd-retrycount * dpd-retryinterval (e.g. a tuned setting 4*30=120) is greater than 93, when the IKEv2 retransmission logic reaches its end (93 seconds), the existing IKE SA is flushed and the tunnel is brought down.

 

Related articles:

Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN

Technical Tip: Explanation of IPsec VPN DPD options and on-Idle tunnel flushing process
8016
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.