topic Re: DPD bug with ipsec on 9.0.5 in General Topics

DPD bug with ipsec on 9.0.5

Alex_Samad — Thu, 09 Jan 2020 22:26:00 GMT

I have a IKE1 tunnel setup.

Life time for ph1 and ph2 is 8 hours.

For some reason the other end drops at 6 hours .. not sure why.

But the PA keeps the tunnel up. I have confirmed this numerious times screen sharing situation and I can confirm that no packets have come from the other side for over 30 min. My DPD is set 10 2 ... in 20 sec it should have seen no IKE heart beat messages and droped the tunnel.

So my limited understanding of ipsec, is the DPD using interanl - so ike message - to send a heart beat..

Am I wrong ?

If i turn on monitoring which i understand send a icmp from my end to dest, it detects and brings the tunnel down and restarts but this causes an outage - a rekeying doesn't.

in fact if I leave it for 2 hours it fixes it self when the ipsec tunnel on my end renews keys !

Re: DPD bug with ipsec on 9.0.5

BPry — Thu, 09 Jan 2020 22:40:57 GMT

@Alex_Samad,

Not exactly. DPD is used to monitor Phase 1, not Phase 2, and it's not a persistent heart-beat like communication. The only time DPD will send an R_U_THERE message is during a Phase 2 re-key event.

Re: DPD bug with ipsec on 9.0.5

Alex_Samad — Thu, 09 Jan 2020 22:51:51 GMT

Okay - that would explain why it doesn't do anything when the tunnel stops working !

Okay so the best thing is to go back to monitoring