Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AP113BY
New Contributor

Created on ‎01-04-2026 07:45 AM

DPD Failures on IpSec VPN

Hi

 

In summary between 45 Minutes to every 3 hours, every single IpSec VPN Tunnel gets torn down with a DPD-error. An example log I have included below.

 

General
Absolute Date/Time2026-01-04
Last Access Time14:45:21
VDOMroot
Log DescriptionIPsec DPD failed
Source
Local IPXXXX
FortiClient ID7D7A0CD5D9574D5AB509F5519F68B9F8
UserXXXX
GroupN/A
XAUTH UserXXXXX
XAUTH GroupFortiClient Users
Action
Actiondpd
Statusdpd_failure
Security
Level
 
 
 
 
 
 
 
Error
Event
Assigned IPXXXXX
Cookiesc7e291824a726956/c9f2b20f46158b9f
Local Port4500
Outgoing Interfacewan1
Remote IPXXXXXX
Remote Port64917
VPN TunnelForticlient VPN_0
MessageIPsec DPD failure
Other
Log event original timestamp (µs)1767537921187226000
eventtime_raw_value1767537921187226120
Log ID0101037136
Typeevent
Sub Typevpn
Alternate UserN/A
ADVPN Shortcut0

 

Below is the my current configuration for IpSec VPN

 

Phase 1:

config vpn ipsec phase1-interface
edit "Forticlient VPN"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set monitor-min 0
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set packet-redistribution disable
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set npu-offload enable
set dhgrp 5 14 20
set suite-b disable
set wizard-type dialup-forticlient
set xauthtype auto
set reauth disable
set authusrgrp "FortiClient Users"
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set link-cost 0
set exchange-fgt-device-id disable
set ems-sn-check disable
set qkd disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set ipv4-netmask 255.255.255.255
set dns-mode auto
set ipv4-split-include "FortiClient VPN_split"
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set ip-delay-interval 0
set unity-support enable
set domain ''
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set save-password enable
set client-auto-negotiate disable
set client-keep-alive disable
set psksecret xxxxxx
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 5
set dpd-retryinterval 20
next
end

 

Phase 2:

config vpn ipsec phase2-interface
edit "Forticlient VPN"
set phase1name "Forticlient VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs enable
set dhgrp 5 14 20
set replay enable
set keepalive enable
set add-route phase1
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

 

Fortigate Firmware Version: v7.6.5

Forticlient Version: 7.4.3.1790

 

Forticlient Configuration

 

Screenshot 2026-01-04 154301.pngScreenshot 2026-01-04 154336.png

 

If anyone has any advise or notices any misconfigurations in the configs provided please let me know.

Thanks.

Labels:
57
0 Kudos
1 REPLY 1
Daniel__
New Contributor III

Created on ‎01-05-2026 03:00 AM

It is very possible that the client is not really responding to your DPD messages, and thus the Fortigate tears down the connection as it is not getting a response. 

 

Often because the client is in a low‑power state, behind a NAT that drops UDP 4500, or the client’s own DPD settings are different)

 

try:

config vpn ipsec phase1-interface
    edit "Forticlient VPN"
        set dpd on-demand # <‑ change from on-idle
        set dpd-retrycount 10
        set dpd-retryinterval 30
        set keepalive 30 # optional, but helps keep the tunnel alive
    next
end
46
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.