Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AP113BY
New Contributor

Created on ‎01-04-2026 08:17 AM

DPD IpSec Failures on Forticlient VPN

For some reason my last post got flagged as "spam" so here it is again.

 

DPD Failures on IpSec VPN

Hi

 

In summary between 45 Minutes to every 3 hours, every single IpSec VPN Tunnel gets torn down with a DPD-error. An example log I have included below.

 

General
Absolute Date/Time2026-01-04
Last Access Time14:45:21
VDOMroot
Log DescriptionIPsec DPD failed
Source
Local IPXXXX
FortiClient ID7D7A0CD5D9574D5AB509F5519F68B9F8
UserXXXX
GroupN/A
XAUTH UserXXXXX
XAUTH GroupFortiClient Users
Action
Actiondpd
Statusdpd_failure
Security
Level
 
 
 
 
 
 
 
Error
Event
Assigned IPXXXXX
Cookiesc7e291824a726956/c9f2b20f46158b9f
Local Port4500
Outgoing Interfacewan1
Remote IPXXXXXX
Remote Port64917
VPN TunnelForticlient VPN_0
MessageIPsec DPD failure
Other
Log event original timestamp (µs)1767537921187226000
eventtime_raw_value1767537921187226120
Log ID0101037136
Typeevent
Sub Typevpn
Alternate UserN/A
ADVPN Shortcut0

 

Below is the my current configuration for IpSec VPN

 

Phase 1:

config vpn ipsec phase1-interface
edit "Forticlient VPN"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set monitor-min 0
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set packet-redistribution disable
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set npu-offload enable
set dhgrp 5 14 20
set suite-b disable
set wizard-type dialup-forticlient
set xauthtype auto
set reauth disable
set authusrgrp "FortiClient Users"
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set link-cost 0
set exchange-fgt-device-id disable
set ems-sn-check disable
set qkd disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set ipv4-netmask 255.255.255.255
set dns-mode auto
set ipv4-split-include "FortiClient VPN_split"
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set ip-delay-interval 0
set unity-support enable
set domain ''
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set save-password enable
set client-auto-negotiate disable
set client-keep-alive disable
set psksecret xxxxxx
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 5
set dpd-retryinterval 20
next
end

 

Phase 2:

config vpn ipsec phase2-interface
edit "Forticlient VPN"
set phase1name "Forticlient VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs enable
set dhgrp 5 14 20
set replay enable
set keepalive enable
set add-route phase1
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: Forticlient VPN (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

 

Fortigate Firmware Version: v7.6.5

Forticlient Version: 7.4.3.1790

 

Forticlient Configuration

Screenshot 2026-01-04 154301.pngScreenshot 2026-01-04 154336.png

Labels:
99
0 Kudos
4 REPLIES 4
Jean-Philippe_P
Community Manager
Community Manager

Created on ‎01-06-2026 09:45 PM

Hello AP113BY, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Regards,
Jean-Philippe - Fortinet Community Team
78
0 Kudos
Jean-Philippe_P
Community Manager
Community Manager

Created on ‎01-08-2026 02:02 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Regards,
Jean-Philippe - Fortinet Community Team
57
0 Kudos
AP113BY
New Contributor
In response to Jean-Philippe_P

Created on ‎01-08-2026 02:13 AM

Thanks!

 

I have worked around this temporarily by disabling DPD on Phase 1 and PFS on Phase 2.

 

I have also made some config updates to only accept DH Group 14 with the Authentication all changed to SHA256 on both phases on both the my 80F and the forticlient applications.

 

Appreciate this may not be entirely best pratice but open to config suggestions. I'm planning an IKE change over to V2 within the coming weeks.

52
Jean-Philippe_P
Community Manager
Community Manager

Created on ‎01-09-2026 02:14 AM

Hello again AP113BY,

 

I found this solution. Can you tell us if it helped you, please?

 

To address the DPD (Dead Peer Detection) failures on your IPsec VPN, you can try the following steps:

 

  1. Increase DPD Retry Count and Interval:

    • You can increase the dpd-retrycount and dpd-retryinterval to allow more time for the VPN to recover from temporary network issues.
    • Example CLI commands:

      config vpn ipsec phase1-interface
edit "forticlient vpn"
set dpd-retrycount 10
set dpd-retryinterval 30
next
end

  2. Check Network Stability: Ensure that the network connection between the FortiGate and the remote client is stable. Any intermittent network issues can cause DPD failures.

  3. Review FortiClient Configuration: Ensure that the FortiClient configuration is correct and matches the FortiGate settings. Check for any discrepancies in the IPsec settings.

  4. Firmware and Software Updates: Ensure that both the FortiGate and FortiClient are running the latest stable firmware and software versions. Sometimes, updates contain fixes for known issues.

  5. Monitor Logs: Continue to monitor the logs for any additional error messages or patterns that might indicate the root cause of the issue.

  6. Consult Fortinet Support: If the issue persists, consider reaching out to Fortinet Support for further assistance. They may provide additional insights or solutions specific to your configuration.

 

By following these steps, you should be able to mitigate the DPD failures and improve the stability of your IPsec VPN connection.

Regards,
Jean-Philippe - Fortinet Community Team
31
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.