Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mda
New Contributor

Created on ‎11-20-2019 08:50 PM

[6.0.6] dpd-retrycount option missing

Hi All,

 

I have configured a redundant site to site IPSEC VPN between 2 FGT E units, both running 6.0.6.

 

Basically, setup is as follows:

 

Tunnel 1 - Site A ISP1 to Site B ISP1

Tunnel 2 - Site A ISP2 to site B ISP1

 

To allow failover, administrative distance is set to 10 for each static route, and a priority is set to allow for an organized prioritization of tunnels.

 

When this was originally set up in FortiOS 5.4, I used the following commands to customize the failover settings:

 

dpd-retrycount 3

dpd-retryinterval 3

 

REFERENCE ONLY: Please see this forum post made back in 2017 that helped me with that issue (thanks to neonbit and Mike for all the help - settings pretty much working up until today!)

 

However, when trying to set up a new site, using the command

dpd-retrycount 3

will not error out but it will not show up in the configuration. Furthermore, the failover does not work properly unless I purposely add

dpd on-idle

(which is supposedly a default setting).

dpd-retryinterval seems to be added to the config properly, however.

 

What should I be doing now to get back dpd retrycount? Or is there a new command that has superseded this?

 

Thank you!

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
Labels:
3107
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-21-2019 12:24 AM

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase...

                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.

View solution in original post

2101
0 Kudos
2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-21-2019 12:24 AM

Those retry values are default. That's why you don't see in "show" command. Try below:

xxxx-fg1 (phase1-int-name) # show full | grep retry         set dpd-retrycount 3         set dpd-retryinterval 30 By default, at least with 6.0 and 5.6, dpd mode setting is "on-demand". Based on the explaination in CLI reference below:

https://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/vpn/ipsec%20phase...

                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

I interpreted "on-demand" wouldn't send dpd message when no outgoing traffic exists. Because of this we always set "on-idel" for every IPSec set-up.
2102
0 Kudos
mda
New Contributor
In response to Toshi_Esumi

Created on ‎11-21-2019 01:11 AM

Thank you for the info! I knew I just read somewhere that on-idle was default :|

 

Yes, I can confirm - set retrycount to 2 and the number changed.

 

I just didn't bother trying this since an old config listed the dpd-retrycount to 3 and was clearly shown in the 'show'.

 

Thanks again Toshi!

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
2052
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.