# IPsec: Dead Peer Detection (DPD) timeout for peer 203.0.113.10, deleting SA - **ID:** `networking/ipsec-dpd-timeout` - **Domain:** networking - **Category:** protocol_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause The IPsec endpoint did not receive DPD keepalive responses from the remote peer within the configured timeout interval, indicating the peer is unreachable or the tunnel is broken, causing the security association (SA) to be torn down. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | strongSwan 5.9-6.0 | active | — | — | | Libreswan 4.10-5.0 | active | — | — | | Cisco ASA 9.16-9.20 | active | — | — | | pfSense 2.7-2.8 | active | — | — | | AWS VPN 2024 | active | — | — | ## Workarounds 1. **Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state.** (85% success) ``` Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state. ``` 2. **Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`.** (75% success) ``` Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`. ``` 3. **Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`.** (70% success) ``` Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`. ``` ## Dead Ends - **Increasing DPD timeout to a very high value (e.g., 300 seconds) to suppress the error** — This only masks the problem; if the peer is truly down, the tunnel will remain stale for longer, and failover or reconnection is delayed. (75% fail) - **Restarting the IPsec service without checking network connectivity** — The root cause (e.g., firewall blocking UDP 500/4500, NAT traversal issue, or peer crash) is not addressed, so the timeout reoccurs shortly after restart. (80% fail) - **Disabling DPD entirely** — Without DPD, the tunnel may appear up while the peer is dead, causing traffic blackholing; this is a security and reliability risk. (90% fail)