IPsec Dead Peer Detection do not take the needed value as " Wait for Response up To "

Hi Suliman 

Could you please share the configuration screenshots of the IPsec policy in which you are facing the issue, I can try to replicate our end to verify the issue further.

hi Keyur 

i just added it above 
i need to make the dead peer detection trying up to 24 hours ( 86395), 

its accept values up to 999 seconds , while the hint says that it must between 315 to 86395 

Thanks 

Hi Suliman 

Could you please confirm, if you change the value in "Check Peer after every" option, What message value are you getting in "wait for a response upto"

Hi Keyur 

I changed the "Check peer after every " Value , to the max , min and random values 

still show same message " VPN policy could not be updated " if i put the value more than 9999 seconds . 

Hi Suliman,

Could you please try to restart the VPN service?

Please login to CLI SSH Console of the Sophos XG firewall

Select 5. Device Management >> 3. Advanced Shell

Please execute the below given commands.

service strongswan:status -ds nosync

service strongswan:restart -ds nosync

Please check and if you face the issue afterward, please contact technical support and raise a service request.

Actually i can reproduce this. But i have to ask, is this value not way to high?

https://tools.ietf.org/html/rfc3706

dpdaction = none | clear | hold | restart

controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages
(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the
IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout.
With clear the connection is closed with no further actions taken. hold installs a trap policy, which will catch
matching traffic and tries to re-negotiate the connection on demand. restart will immediately trigger an attempt
to re-negotiate the connection. The default is none which disables the active sending of DPD messages.

dpddelay = 30s | <time>

defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
These are only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
messages and uses only standard messages (such as those to rekey) to detect dead peers.

dpdtimeout = 150s | <time>

defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to
detect dead peers.

Hi Suliman 

I do not recommend you hold open the VPN connection for 24 hours.  This also would not be possible if your phase 1 and phase 2 sections of the policy have a shorter time limit than the DPD settings.

Thanks.

Hi Suliman 

I do not recommend you hold open the VPN connection for 24 hours.  This also would not be possible if your phase 1 and phase 2 sections of the policy have a shorter time limit than the DPD settings.

Thanks.