Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tecnologie
New Contributor

VPN error DPD - ESP

Hello everybody, I have vpn on pcs for connect in headquarter. Sometime, I don' t not why, but tunnel come in error, and error si always the same. I post the image of event error. Depend of what this kind of error? Thanks very much!
11 REPLIES 11
Tecnologie
New Contributor

no one?
HA
Contributor

Hello, Your VPN is configured to use DPD (Dead Peer Dectection). DPD generates keepalive packets at regular interval and wait an answer from the remote peer. If no there' s no answer, the local device tear down the IPSec session. First, check BOTH devices about DPD settings (retry count and retry interval). Even if it' s not recommended you can also try to disable DPD (on both side). Regards, HA
Tecnologie
New Contributor

Fantastic!! Thank you very much!!!
emnoc
Esteemed Contributor III

Keep in mind , 9 out of 10 times, DPD is enabled and negoiated during the ipsec setup. I don' t think that' s the reason for the ESP error. DPD is mutual-neg before the ESP SA and with in IKE setup and with the vendor capabilities. Also if the DPD keepalive interval are not set correctly , they can reflect lost of neighborship.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
HA
Contributor

Hi, The IPSec Phase2 is going down BECAUSE the DPD fails. It' s written in the log... In fact, some platform, like Checkpoint, doesn' t support DPD. As said before, DPD keepalive timers must be configured correctly... Regards, HA
rsmayer
New Contributor

Hi... I' m having issues with dial-up vpn connections dropping. You mentioned that " DPD timers must be configured correctly" . Can you please elaborate on that? How would I determine the " correct" settings? My thought would be that setting retry 10 and interval 15, one side or the other would have to miss 10 probes over a 2 1/2 minute time span for dpd to fail. Is that not correct?
Rich Mayer LGS Innovations
Rich Mayer LGS Innovations
CodeTron
New Contributor III

I'm receiving the same error on DPD, what could be the best setting to eliminate VPN connection dropping

 

Thank you

 

CodeTron
New Contributor III

Where can I change the DPD settings in a Fortigate?

 

Thank you 

BioGlitch

SamH wrote:

Where can I change the DPD settings in a Fortigate?

 

Thank you 

Hi CodeTron

 

You can download the ipsec VPN Cookbook from https://docs.fortinet.com/uploaded/files/2802/fortigate-ipsecvpn-54.pdf

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors