Hot!IPSec VPN DPD Failure Issue

Author
Hyeon
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/07 20:53:06
  • Status: offline
2020/07/07 23:04:53 (permalink) 6.2
0

IPSec VPN DPD Failure Issue

Hi
 
We are using the 3 ipsec VPN(AWS to Fortigate 500D)
When IPsec VPN Failure one is only occured the log(phase 2 Down)
The other is occured the logs DPD Failure, tunnel Down, phase 2 Down.
 
Can I get the detail conditon about tunnel Down Log, DPD Failure?
And is it possible to occur the phase 2 Down without tunnel Down and DPD Failure log?
 
 
#1

3 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: IPSec VPN DPD Failure Issue 2020/07/09 12:24:53 (permalink)
    5 (1)
    DPD is a ike status check depending on how you have it configured ( idle or on-demand )based on if ESP data grams are not being sent from the peer.
     
    The Phase2 down could be a IPSEC SA clear or admin-down
     
    The DPD down is simple put that the peer has not responded is marked down and ike/ipsec SA are cleared.
     
    So what is your exact issue or problem?
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Hyeon
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/07 20:53:06
    • Status: offline
    Re: IPSec VPN DPD Failure Issue 2020/07/10 04:31:50 (permalink)
    0
    thanks.
    My issue is few days ago Forti to AWS IPSEC VPN was down. but didn't work the DPD function.
    AWS sent to me this log.
     
                    2020-07-03T03:44:38.496 recieved DPD R_U_THERE_ACK seq number 324617111
                    2020-07-03T03:44:48.492 sending DPD R_U_THERE with sequence number 324617112
                    2020-07-03T03:44:58.492 sending DPD R_U_THERE with sequence number 324617113
                    2020-07-03T03:45:08.492 sending DPD R_U_THERE with sequence number 324617114
                    2020-07-03T03:45:18.492 DPD check failed, declaring peer dead.
     
    but I can't find about DPD failure and tunnel Down in fortigate VPN log.
    There is only phase 2 Down Log.

    I want to know if it's a bug or a config values error.
     
    when the VPN was down dpd config is on-demand, 20 seconds 3 times.
     
    post edited by Hyeon - 2020/07/10 04:33:50
    #3
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: IPSec VPN DPD Failure Issue 2020/07/10 05:45:07 (permalink)
    0
    Again DPD is working normally from that AWS debug output you need to analyze when you didn't respond in the 3 DPD. This is not a bug but what DPD does & how it works. 
     
    If you did not know, AWS-ipsec uses 3. failed DPD seq before declaring a peer down. So that AWS snippets seem right and correct, what your fortigate did or not do is another thing on ike-gw clearing you would have to explore.
     
    I would do the following 1> do you have plos ( packet lost ) and if its greater than 2% 2> is the IPSEC ESP data high at that the time of the outage 3> can you recreate any conditions that cause the problem 4> if "yes", I would seriously run "diag debug application ike -1" dump it into a file and analyze from the fortigate. 
     
    And lastly, ensure you're running the most uptodate FortiOS version.
     
     
    As far as the phase2, if we strike a peer-dead , all SAs are clear and should be removed and marked invalid. Do you see that? And what does your "get router info routing all" show for the install route(s)?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5