Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPsec DPD failure on IPSEC VPN


I would like to have help about the "famous" DPD_failure on IPSEC VPN.


I have 2 Firewall fortigate.  One in Italy (IT) and one in Germany (DE).

In Italy I have 2 HDSL internet interfaces.

Also in Germany (DE) I have 2 internet interfaces, but while one is a HDSL , the other one is a ADSL with a public IP.

So, we have 4 IPSEC VPN configured.

Only one is up and running ( the others are ready if the first one will have problem).


Every days, I usually receive many messages IPsecPDPfailure likes:


Message meets Alert condition

date=2017-03-03 time=15:52:31 devname=PSE-GERMANY devid=FGT60C3G11037662 logid=0101037136 type=event subtype=vpn level=error msg="IPsec DPD failure" action=dpd remip= locip= remport=4500 locport=4500 outintf="wan2" cookies="...........c12..." user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="DE1_IT2_PH1" status=dpd_failure


As you can see below , most oth the messages are between one session( in Itlay with in Germany).

The is in Germany ( ADSL that have a public ip

The is a NEW HDSL here in Italy, I have just implemented these days.


How can I understand if I have problem with my new HDSL here in Italy?

Or could be the problem related to the ADSL in Germany?

Why the other 3 sessions seems to have little DPD problems?


Many thanks in advance for your help.



Here the sequence of the messages:








ADSL lines in Germany are brought down once every 24 hours on purpose, at least with German Telekom. As ADSL is targeted and marketed as a broadband medium for private persons this is meant to defeat the use of these lines for servers - the customer will be assigned a new public IP every 24 hours.


So your logs only show that the VPN was established between an ADSL line and a HDSL line (without forced disconnections). If you set up all parameters correctly the tunnel will be reestablished within seconds.


To make your VPNs fully and automatically redundant, you may already have set the 'monitor-phase1' parameter in the backup VPN setup. Given a name of the main VPN FortiOS will monitor it for failures and yank the backup VPN up in that case.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Hi Ede,

Thanks for your help.


I didn't know in Germany they brought down VPN on purpose. That's ok no problem.

I know I have one of the interface that is an ADSL and this kind of line is not well suitable for business ( but this is just a backup of the HDSL line we have in Germany and for this ADSL we have a STATIC public IP assigned, so no problem about IP change ).

You are right, the VPN is re-established within seconds.

And to make our VPNs fully and automatically redundant we are using different "Distance" value in the Static Routes  configuration (and it is working well).



This  VPN between ( one of the 2 HDSL in Italy) and ( Germany ADSL that have a public STATIC ip, is just the 4th IPSEC VPNs we have and the least important.

Infact, we are going to use this only in case the others 3 will have a problem.


And my little problem rise here.

Why, in the others 3 IPSEC VPN, I don't see so many "IPsec DPD failure" messages.

I was thinking, maybe it is the new HDSL we just installed here in Italy that can have some problems ...

but at the same time this new HDSL ( having 2 VPNs :  --- VPN ---- HDSL Germany (  --- VPN ---- ADSL Germany ( Static Public IP that is Interface IP)

and only this last one have so many "IPsec DPD failure" messages.


What do you think?






Managed to solve the problem of "ipsec dpd failure"


I have the some problem



Armando Gómez
Armando Gómez

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors