Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pierluigi
New Contributor

IPsec DPD failure on IPSEC VPN

Hello.

I would like to have help about the "famous" DPD_failure on IPSEC VPN.

 

I have 2 Firewall fortigate.  One in Italy (IT) and one in Germany (DE).

In Italy I have 2 HDSL internet interfaces.

Also in Germany (DE) I have 2 internet interfaces, but while one is a HDSL , the other one is a ADSL with a public IP.

So, we have 4 IPSEC VPN configured.

Only one is up and running ( the others are ready if the first one will have problem).

 

Every days, I usually receive many messages IPsecPDPfailure likes:

 

Message meets Alert condition

date=2017-03-03 time=15:52:31 devname=PSE-GERMANY devid=FGT60C3G11037662 logid=0101037136 type=event subtype=vpn level=error msg="IPsec DPD failure" action=dpd remip=81.174.28.218 locip=10.1.2.2 remport=4500 locport=4500 outintf="wan2" cookies="...........c12..." user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="DE1_IT2_PH1" status=dpd_failure

 

As you can see below , most oth the messages are between one session( 81.174.28.218 in Itlay with 10.1.2.2 in Germany).

The 10.1.2.2 is in Germany ( ADSL that have a public ip  217.92.59.71)

The 81.174.28.218 is a NEW HDSL here in Italy, I have just implemented these days.

 

How can I understand if I have problem with my new HDSL here in Italy?

Or could be the problem related to the ADSL in Germany?

Why the other 3 sessions seems to have little DPD problems?

 

Many thanks in advance for your help.

Pierluigi 

 

Here the sequence of the messages:

  

 

 

 

3 REPLIES 3
ede_pfau
Esteemed Contributor III

Hi,

 

ADSL lines in Germany are brought down once every 24 hours on purpose, at least with German Telekom. As ADSL is targeted and marketed as a broadband medium for private persons this is meant to defeat the use of these lines for servers - the customer will be assigned a new public IP every 24 hours.

 

So your logs only show that the VPN was established between an ADSL line and a HDSL line (without forced disconnections). If you set up all parameters correctly the tunnel will be reestablished within seconds.

 

To make your VPNs fully and automatically redundant, you may already have set the 'monitor-phase1' parameter in the backup VPN setup. Given a name of the main VPN FortiOS will monitor it for failures and yank the backup VPN up in that case.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Pierluigi

Hi Ede,

Thanks for your help.

 

I didn't know in Germany they brought down VPN on purpose. That's ok no problem.

I know I have one of the interface that is an ADSL and this kind of line is not well suitable for business ( but this is just a backup of the HDSL line we have in Germany and for this ADSL we have a STATIC public IP assigned, so no problem about IP change ).

You are right, the VPN is re-established within seconds.

And to make our VPNs fully and automatically redundant we are using different "Distance" value in the Static Routes  configuration (and it is working well).

 

Now:

This  VPN between 81.174.28.218 ( one of the 2 HDSL in Italy) and 10.1.2.2 ( Germany ADSL that have a public STATIC ip  217.92.59.71), is just the 4th IPSEC VPNs we have and the least important.

Infact, we are going to use this only in case the others 3 will have a problem.

 

And my little problem rise here.

Why, in the others 3 IPSEC VPN, I don't see so many "IPsec DPD failure" messages.

I was thinking, maybe it is the new HDSL we just installed here in Italy that can have some problems ...

but at the same time this new HDSL (81.174.28.218) having 2 VPNs :

81.174.28.218  --- VPN ---- HDSL Germany ( 193.158.81.250)

81.174.28.218  --- VPN ---- ADSL Germany ( Static Public IP 217.92.59.71 that is 10.1.2.2 Interface IP)

and only this last one have so many "IPsec DPD failure" messages.

 

What do you think?

Pierluigi

 

Armando_Gomez_Barrio

Hi,

 

Managed to solve the problem of "ipsec dpd failure"

 

I have the some problem

 

Regards,