Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcovarrubias
Staff
Staff

Created on ‎06-21-2025 12:58 PM

Article Id 397214

Technical Tip: Understanding and Troubleshooting IPSec VPN Disconnection Issues

Description

This article describes the common causes of IPSec VPN disconnection issues and provides a systematic approach to troubleshooting intermittent disconnections in FortiGate IPSec VPN deployments.
Scope FortiGate Firewalls.
Solution
  1. Introduction.
  2. Understanding IPSec VPN Connection Fundamentals.
  3. Common Causes of IPSec VPN Disconnections.
    • Dead Peer Detection (DPD).
    • Keepalive Mechanisms.
    • IP Protocol Issues (IPv4/IPv6).
    • Network Path Issues.
    • Traffic Idle Timeouts.
    • Rekey Operations.
    • Hardware Offloading Issues.
  4. Troubleshooting Methodology.
  5. Preventive Measures and Best Practices.
  6. Conclusion.

 

IPSec Protocol Basics.

IPSec VPN tunnels maintain their connection status through several underlying mechanisms. Understanding these mechanisms is crucial for properly diagnosing disconnection issues.

 

IPSec VPN consists of two main phases:

  1. Step 1 IKE (UDP500/UDP4500(NAT-T)): Establishes a secure channel between peers and authenticates them. Over this connection, the security parameters for Step 2 are also determined. This connection determines if a peer is up or not.
  2. Step 2 IPsec(ESP IP protocol  50, NAT-T ESP over 4500): Using the security parameters negotiated over the IKE connection, this second connection carries the secured tunnelled data.

Both phases have lifetimes, after which renegotiation is required. Improper handling of this renegotiation process can result in disconnections from the tunnel.

 

Common Causes of IPSec VPN Disconnections.

Dead Peer Detection (DPD).

DPD is a mechanism that detects when a VPN peer is no longer responsive. When a tunnel becomes idle (no traffic passing through), DPD begins sending "Are You There?" probes to verify if the peer is still active.

 

How DPD Works:

  • The FortiGate sends R_U_THERE messages when no traffic is detected for the DPD idle timeout period.
  • If no response is received after a configured number of retries, the tunnel is declared dead and torn down.

 

Impact on Disconnections:
When DPD is set too aggressively (short retry intervals, low retry counts), normal network fluctuations can trigger unnecessary tunnel teardowns. This is especially problematic for users on non-dedicated internet connections like residential broadband, where packet loss is more common.

 

For more information on DPD configuration and troubleshooting, review the following KB article:

Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN

 

Keepalive Mechanisms.

Keepalive messages maintain the tunnel's active state by generating periodic traffic. Unlike DPD, which checks if a peer is alive, keepalives prevent the tunnel from going idle. Without keepalives, a tunnel that experiences no user traffic may be susceptible to disconnection due to DPD or other timeout mechanisms. The following is a snapshot of the configuration relevant for the keepalive.

 

config vpn ipsec phase2-interface

    edit "phase2-name"

        set keepalive enable

    next

end

 

IP Protocol Issues (IPv4/IPv6).

A common but often overlooked cause of disconnection is the presence of dual IP protocol stacks. When a client has both IPv4 and IPv6 enabled but the VPN is configured primarily for IPv4, protocol conflicts can occur.

 

This can manifest as:

  • Tunnel establishment over IPv6, but intended for IPv4 traffic
  • Peer identification issues where the client attempts to use an IPv6 address as its peer ID.
  • Routing conflicts between IPv4 and IPv6 traffic.

To verify if this is causing issues, the following article can help.

Technical Tip: FortiClient IPsec dialup tunnel keep disconnecting

 

Network Path Issues.

Network path problems are often the root cause of intermittent disconnections, especially when they only affect specific users or locations.

 

Common network path issues include:

  • ISP traffic shaping or rate-limiting of IPSec protocol traffic (UDP ports 500/4500).
  • Intermittent packet loss on residential internet connections.
  • NAT device timeouts that close translation entries for idle connections.
  • Firewalls or routers along the path drop the ESP packet.

 

These issues need to be reviewed with the ISP, as these fall outside the IPsec peers. 

 

Traffic Idle Timeouts.

Many network devices maintain connection state tables and will remove entries for connections that remain idle for too long. When this happens, the tunnel may appear to be up but cannot pass traffic, leading to a disconnect when traffic resumes.

 

Idle timeout issues can be mitigated by:

  • Enabling keepalives to generate periodic traffic.
  • Configuring appropriate DPD settings.
  • Implementing application-level keepalives for critical services.

 

Rekey Operations.

IPSec tunnels have security associations (SAs) with limited lifetimes. When these lifetimes expire, the tunnel must perform a rekey operation to establish new SAs.

 

Two primary rekey methods exist:

  1. Soft rekey: New SAs are established before the old ones expire, allowing for a seamless transition.
  2. Hard rekey: Old SAs are deleted before new ones are established, causing a brief disconnection.

 

Several software issues or design challenges throughout the years have been seen on different vendors, including FortiClient, and were later fixed, which prevented the correct rekey, such as:

  • Break the Tunnel before rekey, causing momentary disconnections.
  • Using incorrect parameters in the REKEY messages, such as using the wrong Message-ID.

 

To troubleshoot these types of issues, the network administrator can capture and decrypt network traffic exchange with a sniffer for UDP, aiming to see the IKE traffic exchange. For more information on this troubleshooting technique, the following Article contains more information.

Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2

 

Hardware Offloading Issues.

Modern FortiGate devices use specialized hardware (NPU - Network Processing Units) to accelerate IPSec traffic processing. While this generally improves performance, it can sometimes cause issues with specific traffic patterns or when combined with other features.

 

To determine if NPU offloading is causing disconnection issues, temporarily disable it for the problematic tunnel:

 

config vpn ipsec phase1-interface

    edit "tunnel-name"

        set npu-offload disable

    next

end

 

Systematic Troubleshooting Methodology.

Troubleshooting intermittent disconnections requires a methodical approach:

 

  1. Identify the Disconnection Pattern.
  • Are disconnections happening at regular intervals? This suggests a timeout or rekey issue.
  • Do the disconnects occur only during periods of inactivity? This suggests DPD or keepalive issues.
  • Do the disconnects affect all users or just those on specific networks? This suggests a path or ISP issues.
  • Do the disconnects correlate with specific actions or times of day? This suggests traffic-related triggers.
  1. Collect and analyze diagnostic information.
  2. Apply targeted fixes.

 

1159
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.