Racoon: INFO: DPD: remote seems to be dead
-
I change the topic of this thread (http://forum.pfsense.org/index.php/topic,33389.0.html) to make it more related to the problem.
I already updated to the latest snapshot (2.0-RC1 (i386) built on Wed Mar 16 17:04:38 EDT 2011) and although the problem of FQDN specified on Remote Gateway is fixed, this one still here.
Not that critical as the problem is only happens when pfSense "respond" new phases negotiation from remote sites.
If my pfSense "initiate" new phases negotiation, than the VPN links are alright. And the latest snapshot keep-alive does working in this case that re-establish the links by initiate the negotiation.
Or if I disabled DPD from the VPN settings, than everything seems alright too.
But this "DPD remote seems to be dead" bug is still bothering me.
-Raylund
-
It may be an issue with the DPD settings on the remote side, it may not support DPD or it may not be negotiating for it when it initiates.
-
Ha! Jimp, you gave me a clue.
I find that 4 out of my 11 VPN links that have the problem may due to an option in SonicWall.
All 4 of them (also for other SonicWall) "Enable IKE Dead Peer Detection" are enabled and with 60/3 setting by default. But these 4 SonicWall firmware have a sub-option "Enable Dead Peer Detection for Idle vpn sessions" which are not enabled by default.
Do you know or anybody know this is may be the culprit?
In SonicWall documentation, it says "Unless your SonicWALL has a lot of remote sites and you’ve been advised to use this function, please do not enable it". I'm reluctant to enable it as there are a lot of VPN links on these SonicWall; not just me.
-Raylund