一、故障现象

远端分支公司无法访问总部的文件服务器,提示网络超时,经核实设备后发现有异常信息:

[FortiGate] DPD异常导致IPsec隧道连接关闭 _tunnel

[FortiGate] DPD异常导致IPsec隧道连接关闭 _DPD_02

DPD异常可能导致IPSec隧道无法建立或中断,常见原因包括网络延迟或丢包、配置不一致、防火墙阻止、设备故障或软件问题。IPSec 隧道中的DPD(Dead Peer Detection,失效对端检测)机制在检测对端状态时可能会出现异常,导致隧道无法建立或中断。

二、排错过程

diagnose信息1

#隧道建立情况
vd: root/0
name: LINK-1
version: 1
interface: port1 17
addr: XXX.XX5.20.125:500 -> XXX.XX.7.212:500
created: 13s ago
IKE SA: created 1/1   #没有建立链接
IPsec SA: created 0/0 #隧道没有建立
 
  id/spi: 979 5f71b12957ba972d/0000000000000000
  direction: responder
  status: connecting, state 3, started 13s ago


tunnel信息2

list all ipsec tunnel in vd 0
------------------------------------------------------
name=LINK-1 ver=1 serial=1 xxx.xxx.20.125:0->xxx.xxx.7.212:0 dst_mtu=1462
bound_if=17 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=0 overlay_id=0
 
proxyid_num=1 child_num=0 refcnt=10 ilast=32 olast=32 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=9
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=LINK-1 proto=0 sa=0 ref=1 serial=1
  src: 0:172.31.1.0/255.255.255.0:0
  dst: 0:172.28.1.0/255.255.255.0:0
run_tally=1

变更DPD模式

[FortiGate] DPD异常导致IPsec隧道连接关闭 _无法访问_03

在第一阶段中配置DPD模式为“空闲”(on-idle)(IPSec隧道内没有流量时发DPD探测,只有当IPSec隧道内双向有流量时,才不发DPD探测),实现快速的检测并切换tunnel隧道的目的。

edit "LINK-1"
        set dpd on-idle
        set dpd-retrycount 5
        set dpd-retryinterval 10
    next
end

三、验证结果

对端tunnel建立成功,ping测试ok

vd: root/0

name: LINK-1

version: 1

interface: port1 17

addr: xxx.xxx.20.125:500 -> xxx.xxx.7.212:500

created: 6038s ago

IKE SA: created 1/1  established 1/1  time 20/20/20 ms

IPsec SA: created 1/1  established 1/1  time 30/30/30 ms

 

  id/spi: 1076 af9ee4cb0f6896a6/7dfa8ab9dc096c17

  direction: initiator

  status: established 6038-6038s ago = 20ms

  proposal: aes128-sha256

  key: b8d714192d7aeafd-0a4e4b744c22121d

  lifetime/rekey: 86400/80061

  DPD sent/recv: 00000127/000001ea