IPsec:对等体203.0.113.10的死对等体检测(DPD)超时,正在删除安全关联
IPsec: Dead Peer Detection (DPD) timeout for peer 203.0.113.10, deleting SA
ID: networking/ipsec-dpd-timeout
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| strongSwan 5.9-6.0 | active | — | — | — |
| Libreswan 4.10-5.0 | active | — | — | — |
| Cisco ASA 9.16-9.20 | active | — | — | — |
| pfSense 2.7-2.8 | active | — | — | — |
| AWS VPN 2024 | active | — | — | — |
根因分析
IPsec端点在配置的超时间隔内未收到远程对等体的DPD保活响应,表明对等体不可达或隧道中断,导致安全关联(SA)被拆除。
English
The IPsec endpoint did not receive DPD keepalive responses from the remote peer within the configured timeout interval, indicating the peer is unreachable or the tunnel is broken, causing the security association (SA) to be torn down.
官方文档
https://docs.strongswan.org/docs/5.9/config/dpd.html解决方案
-
Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state.
-
Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`.
-
Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`.
无效尝试
常见但无效的做法:
-
Increasing DPD timeout to a very high value (e.g., 300 seconds) to suppress the error
75% 失败
This only masks the problem; if the peer is truly down, the tunnel will remain stale for longer, and failover or reconnection is delayed.
-
Restarting the IPsec service without checking network connectivity
80% 失败
The root cause (e.g., firewall blocking UDP 500/4500, NAT traversal issue, or peer crash) is not addressed, so the timeout reoccurs shortly after restart.
-
Disabling DPD entirely
90% 失败
Without DPD, the tunnel may appear up while the peer is dead, causing traffic blackholing; this is a security and reliability risk.