Hello.
I would like to have help about the "famous" DPD_failure on IPSEC VPN.
I have 2 Firewall fortigate. One in Italy (IT) and one in Germany (DE).
In Italy I have 2 HDSL internet interfaces.
Also in Germany (DE) I have 2 internet interfaces, but while one is a HDSL , the other one is a ADSL with a public IP.
So, we have 4 IPSEC VPN configured.
Only one is up and running ( the others are ready if the first one will have problem).
Every days, I usually receive many messages IPsecPDPfailure likes:
Message meets Alert condition
date=2017-03-03 time=15:52:31 devname=PSE-GERMANY devid=FGT60C3G11037662 logid=0101037136 type=event subtype=vpn level=error msg="IPsec DPD failure" action=dpd remip=81.174.28.218 locip=10.1.2.2 remport=4500 locport=4500 outintf="wan2" cookies="...........c12..." user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="DE1_IT2_PH1" status=dpd_failure
As you can see below , most oth the messages are between one session( 81.174.28.218 in Itlay with 10.1.2.2 in Germany).
The 10.1.2.2 is in Germany ( ADSL that have a public ip 217.92.59.71)
The 81.174.28.218 is a NEW HDSL here in Italy, I have just implemented these days.
How can I understand if I have problem with my new HDSL here in Italy?
Or could be the problem related to the ADSL in Germany?
Why the other 3 sessions seems to have little DPD problems?
Many thanks in advance for your help.
Pierluigi
Here the sequence of the messages:
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
ADSL lines in Germany are brought down once every 24 hours on purpose, at least with German Telekom. As ADSL is targeted and marketed as a broadband medium for private persons this is meant to defeat the use of these lines for servers - the customer will be assigned a new public IP every 24 hours.
So your logs only show that the VPN was established between an ADSL line and a HDSL line (without forced disconnections). If you set up all parameters correctly the tunnel will be reestablished within seconds.
To make your VPNs fully and automatically redundant, you may already have set the 'monitor-phase1' parameter in the backup VPN setup. Given a name of the main VPN FortiOS will monitor it for failures and yank the backup VPN up in that case.
Hi Ede,
Thanks for your help.
I didn't know in Germany they brought down VPN on purpose. That's ok no problem.
I know I have one of the interface that is an ADSL and this kind of line is not well suitable for business ( but this is just a backup of the HDSL line we have in Germany and for this ADSL we have a STATIC public IP assigned, so no problem about IP change ).
You are right, the VPN is re-established within seconds.
And to make our VPNs fully and automatically redundant we are using different "Distance" value in the Static Routes configuration (and it is working well).
Now:
This VPN between 81.174.28.218 ( one of the 2 HDSL in Italy) and 10.1.2.2 ( Germany ADSL that have a public STATIC ip 217.92.59.71), is just the 4th IPSEC VPNs we have and the least important.
Infact, we are going to use this only in case the others 3 will have a problem.
And my little problem rise here.
Why, in the others 3 IPSEC VPN, I don't see so many "IPsec DPD failure" messages.
I was thinking, maybe it is the new HDSL we just installed here in Italy that can have some problems ...
but at the same time this new HDSL (81.174.28.218) having 2 VPNs :
81.174.28.218 --- VPN ---- HDSL Germany ( 193.158.81.250)
81.174.28.218 --- VPN ---- ADSL Germany ( Static Public IP 217.92.59.71 that is 10.1.2.2 Interface IP)
and only this last one have so many "IPsec DPD failure" messages.
What do you think?
Pierluigi
Hi,
Managed to solve the problem of "ipsec dpd failure"
I have the some problem
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.