Home > Networking > Troubleshooting > How it works of DPD (Dead peer detection) in ipsec VPN and Troubleshooting

How it works of DPD (Dead peer detection) in ipsec VPN and Troubleshooting

By /

I’m troubleshooting an unstable IPsec VPN where one peer is behind NAT, using UDP 500/4500, with issues like random firewall packet drops (due to UDP flood protection) and bandwidth exceedance. Here’s a detailed breakdown of how Dead Peer Detection (DPD) works and how to address these issues.

How Dead Peer Detection (DPD) Works

DPD (RFC 3706) monitors IPsec VPN peer availability to maintain tunnel stability. It operates within the IKE control channel, not the data tunnel, and uses specific IKE packets.

  • Mechanism:
    • DPD sends encrypted IKE informational messages (“R-U-THERE”) over UDP 4500 (with NAT-T enabled) to check if the remote peer is alive.
    • The remote peer responds with “R-U-THERE-ACK”. If no ACK is received after retries, the peer is declared dead, and the tunnel may be torn down or restarted.
    • Example: Core router (Peer A, 198.51.100.1:4500) sends R-U-THERE to remote peer (Peer B, 203.0.113.10:4500, NAT’s public IP).
  • No ICMP Pings:
    • DPD uses IKE packets, not ICMP pings to the remote client’s IP (e.g., 192.168.1.2 or subnet 10.2.0.10). Pings are unreliable due to firewall/NAT blocks.
  • Modes:
    • Periodic DPD: Sends R-U-THERE at fixed intervals (e.g., every 60s).
    • On-Demand DPD: Sends only when needed (e.g., no recent traffic), common in IKEv2.
  • NAT-T Context:
    • DPD uses UDP 4500 when NAT is detected, helping maintain NAT mappings (similar to NAT keepalives).

Do Both Peers Need to Send DPD?

  • Not required. One peer sending R-U-THERE and the other responding with ACK is sufficient.
  • Example: Core router initiates DPD; remote peer (behind NAT) responds. Both peers sending DPD is possible with periodic settings but not mandatory.
  • Most devices (Cisco, strongSwan) respond to DPD by default, even if not initiating.

Firewall Dropping DPD Packets (UDP Flood Protection)

Random packet drops due to firewall UDP flood protection can destabilize the VPN by blocking DPD messages.

  • Why It Happens:
    • Firewalls (e.g., Cisco ASA, Fortinet) drop UDP 4500 packets if they exceed flood thresholds (e.g., 1000 packets/s), mistaking DPD for DoS traffic.
    • Drops prevent R-U-THERE/ACK exchange, causing the tunnel to flap (terminate/re-establish).
  • Impact:
    • Missed DPD packets lead to false “dead peer” detections, dropping IKE/IPsec SAs.
    • NAT timeouts (e.g., 30s on consumer devices) exacerbate issues if DPD fails to keep mappings alive.

Fixes:

  1. Check Drops:
    • Packet capture: tcpdump -i eth0 udp port 4500 -v to verify DPD packets.
    • Firewall logs: Cisco ASA (show logging | include 4500), Fortinet (diagnose debug flow filter port 4500).
  2. Adjust Flood Protection:
    • Increase threshold: Cisco ASA (threat-detection rate udp-intercept rate-interval 3600 average-rate 4000 burst-rate 8000).
    • Whitelist peers: Cisco (access-list bypass-threat permit udp host 198.51.100.1 host 203.0.113.10 eq 4500; class-map bypass-threat; match access-list bypass-threat; policy-map global_policy; class bypass-threat; set connection threat-detection off).
  3. Reduce DPD Frequency:
    • Use on-demand DPD or longer intervals: Cisco (crypto isakmp keepalive 60 10 on-demand), strongSwan (dpddelay=60s, dpdtimeout=180s).
  4. Static NAT:
    • On Peer B’s NAT device, forward UDP 4500 (203.0.113.10:4500 → 192.168.1.2:4500) to avoid dynamic port issues.
  5. Disable ALGs:
    • Turn off IKE/IPsec Application Layer Gateways on firewalls/NAT devices.

Bandwidth Exceedance and VPN Instability

High bandwidth usage can drop DPD and ESP-in-UDP packets, causing disconnections.

  • Why It Happens:
    • Congested WAN links prioritize traffic, dropping UDP 4500 packets (no retransmission unlike TCP).
    • Firewalls under load enforce stricter flood protection, targeting DPD packets.
  • Impact:
    • Dropped DPD packets trigger tunnel flaps.
    • ESP data traffic drops reduce throughput.

Fixes:

  1. Monitor Bandwidth:
    • Check usage: show interface (Cisco), nload (Linux).
  2. Apply QoS:
    • On router: Cisco (access-list 101 permit udp any any eq 4500; class-map vpn; match access-list 101; policy-map vpn-qos; class vpn; priority percent 10; service-policy output vpn-qos interface <wan>).
    • On firewall (if possible): Cisco ASA (access-list vpn permit udp any any eq 4500; class-map vpn-class; match access-list vpn; policy-map global_policy; class vpn-class; set connection priority-queue).
  3. Limit Tunnel Traffic:
    • Use precise selectors: Cisco (crypto map MYMAP 10 match address <acl_subnets>).
  4. Increase Bandwidth:
    • Upgrade WAN link or use SD-WAN for load balancing.
  5. Tolerate Drops:
    • Increase DPD timeout/retries: Cisco (crypto isakmp keepalive 90 15 retry 3).

QoS Challenges with Firewall-Generated DPD Packets

If the firewall generates DPD packets and you can’t apply QoS directly, it limits control over prioritization.

  • Problem:
    • Firewalls (e.g., Cisco ASA) treat DPD as internal traffic, not exposed to QoS policies.
    • Congestion drops DPD packets, triggering instability.
  • Workarounds:
    1. QoS on Router:
      • Prioritize UDP 4500 upstream/downstream: Cisco example above.
    2. Firewall Tuning:
      • Cisco ASA: Use MPF to prioritize UDP 4500 (see above).
      • Fortinet: Apply shaper (config firewall shaper per-ip-shaper; edit “vpn-udp4500”; set max-bandwidth 1000; set priority high).
    3. Reduce DPD Overhead:
      • Use on-demand DPD: Cisco (crypto isakmp keepalive 60 on-demand).
    4. Alternative Keepalives:
      • Use GRE/IPsec keepalives: Cisco (interface tunnel0; keepalive 10 3).
    5. Vendor Support:
      • Contact firewall vendor for DPD-specific QoS options or firmware updates.

Comprehensive Troubleshooting Steps

  1. Verify DPD:
    • Logs: Cisco (show logging | include DPD), strongSwan (tail -f /var/log/strongswan.log | grep DPD).
    • Status: Cisco (show crypto ikev2 sa detail), strongSwan (swanctl -l).
  2. Mitigate Drops:
    • Whitelist UDP 4500 in flood protection.
    • Test: tcpdump -i eth0 udp port 4500.
  3. Address Bandwidth:
    • Monitor: nload -i <wan_interface>.
    • Apply QoS or reduce traffic.
  4. Optimize DPD:
    • Cisco: crypto isakmp keepalive 60 on-demand.
    • strongSwan: dpddelay=60s, dpdtimeout=180s.
  5. NAT Stability:
    • Static port forwarding for UDP 4500.
    • Increase timeout: ip nat translation udp-timeout 300.
  6. MTU/Fragmentation:
    • Set MTU: interface <wan>; mtu 1400.
    • MSS clamping: iptables -t mangle -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu.

Example Configurations

Cisco (Core Router):

plaintext

crypto isakmp keepalive 60 10 on-demand
crypto ikev2 dpd 60 3

strongSwan (Remote Peer):

plaintext

conn my-vpn
    dpdaction=restart
    dpddelay=60s
    dpdtimeout=180s

Key Points

  • DPD uses UDP 4500 (NAT-T), not ICMP pings; one peer initiating is enough.
  • Firewall UDP flood protection drops DPD packets, causing flaps—whitelist UDP 4500.
  • Bandwidth congestion drops UDP 4500, destabilizing VPN—apply QoS on router/firewall.
  • If firewall locks DPD packets, use upstream QoS or reduce DPD frequency.
  • Optimize DPD, NAT, and MTU for stability.

If you have specific firewall models, logs, or configs, I can refine this further. Share your thoughts or issues below!

Related posts:

  1. How I Fixed the “XML Declaration Allowed Only at the Start of the Document” Error in Yoast SEO Sitemap
  2. What you should know about ipsec vpn?
  3. Deep into Dead peer detection and NAT-T of ipsec VPN
  4. Unannounced Bugs in FortiGate 7.4.7 (FortiGate 121G): Proxy Chain Issues, Config Restore Problems, and More

Powered by YARPP.

Leave a Comment