Technical Tip: IKEv2 retransmission and DPD

FortiOS IKEv2 retransmission mechanism has a 93-second timeout period, equal to 3+6+12+24+48, representing the interval of the initial packet and four retry packets, and it's not configurable currently.

With the DPD setting disabled, FortiOS never initiates a liveness check. With DPD on-demand or on-idle, FortiOS checks the liveness per required.

Go to: VPN -> IPsec Tunnels -> Select the VPN tunnel -> Edit tunnel -> Network.

If no response is received from the remote gateway, the IKEv2 retransmission is triggered.

However, it does not honor the 'Number of DPD retry attempts' and 'DPD retry interval' settings individually:

• If dpd-retrycount * dpd-retryinterval (e.g. the default setting 3*20=60) is less than 93, even the IKEv2 retransmission is still used, but the failure occurs after dpd-retrycount * dpd-retryinterval seconds have elapsed.
• If dpd-retrycount * dpd-retryinterval (e.g. a tuned setting 4*30=120) is greater than 93, when the IKEv2 retransmission logic reaches its end (93 seconds), the IKE SA negotiation is aborted if there's a network connectivity problem. From the IKE debug output, one INFORMATIONAL message will be visible and four RETRANSMIT_INFORMATIONAL messages, followed by 'negotiation of IKE SA failed due to retry timeout'.

Related article:

Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN