networking protocol_error ai_generated true

IPsec: Dead Peer Detection (DPD) timeout for peer 203.0.113.10, deleting SA

ID: networking/ipsec-dpd-timeout

Also available as: JSON · Markdown · 中文
80%Fix Rate
88%Confidence
1Evidence
2024-06-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
strongSwan 5.9-6.0 active
Libreswan 4.10-5.0 active
Cisco ASA 9.16-9.20 active
pfSense 2.7-2.8 active
AWS VPN 2024 active

Root Cause

The IPsec endpoint did not receive DPD keepalive responses from the remote peer within the configured timeout interval, indicating the peer is unreachable or the tunnel is broken, causing the security association (SA) to be torn down.

generic

中文

IPsec端点在配置的超时间隔内未收到远程对等体的DPD保活响应,表明对等体不可达或隧道中断,导致安全关联(SA)被拆除。

Official Documentation

https://docs.strongswan.org/docs/5.9/config/dpd.html

Workarounds

  1. 85% success Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state. 
    Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state.
  2. 75% success Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`. 
    Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`.
  3. 70% success Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`. 
    Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`.

中文步骤

  1. Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state.
  2. Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`.
  3. Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`.

Dead Ends

Common approaches that don't work:

  1. Increasing DPD timeout to a very high value (e.g., 300 seconds) to suppress the error 75% fail

    This only masks the problem; if the peer is truly down, the tunnel will remain stale for longer, and failover or reconnection is delayed.

  2. Restarting the IPsec service without checking network connectivity 80% fail

    The root cause (e.g., firewall blocking UDP 500/4500, NAT traversal issue, or peer crash) is not addressed, so the timeout reoccurs shortly after restart.

  3. Disabling DPD entirely 90% fail

    Without DPD, the tunnel may appear up while the peer is dead, causing traffic blackholing; this is a security and reliability risk.