Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mda
New Contributor

[6.0.6] dpd-retrycount option missing

Hi All,

 

I have configured a redundant site to site IPSEC VPN between 2 FGT E units, both running 6.0.6.

 

Basically, setup is as follows:

 

Tunnel 1 - Site A ISP1 to Site B ISP1

Tunnel 2 - Site A ISP2 to site B ISP1

 

To allow failover, administrative distance is set to 10 for each static route, and a priority is set to allow for an organized prioritization of tunnels.

 

When this was originally set up in FortiOS 5.4, I used the following commands to customize the failover settings:

 

dpd-retrycount 3

dpd-retryinterval 3

 

REFERENCE ONLY: Please see this forum post made back in 2017 that helped me with that issue (thanks to neonbit and Mike for all the help - settings pretty much working up until today!)

 

However, when trying to set up a new site, using the command

dpd-retrycount 3

will not error out but it will not show up in the configuration. Furthermore, the failover does not work properly unless I purposely add

dpd on-idle

(which is supposedly a default setting).

dpd-retryinterval seems to be added to the config properly, however.

 

What should I be doing now to get back dpd retrycount? Or is there a new command that has superseded this?

 

Thank you!

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
1 Solution
Toshi_Esumi
Esteemed Contributor III

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase...

                disable    Disable Dead Peer Detection.
on-idle Trigger Dead Peer Detection when IPsec is idle.
on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.

View solution in original post

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase...

                disable    Disable Dead Peer Detection.
on-idle Trigger Dead Peer Detection when IPsec is idle.
on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.
mda

Thank you for the info! I knew I just read somewhere that on-idle was default :|

 

Yes, I can confirm - set retrycount to 2 and the number changed.

 

I just didn't bother trying this since an old config listed the dpd-retrycount to 3 and was clearly shown in the 'show'.

 

Thanks again Toshi!

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
Labels
Top Kudoed Authors