A solution for dead VPN tunnels that won't restart on their own, is implementing DPD (Dead Peer Detection). When the USG changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. DPD will attempt to recreate the tunnel rather than trying to revive the dead peer.
|Note: A config.gateway.json file will be needed for this implementation. Read this article to learn how to create one.|
If you suspect you have a dead peer, you can SSH into the USG and run the command
show vpn ipsec sa. If you are indeed dealing with a dead peer it will appear as being "down". (Need help connecting via SSH? Read our article on the subject).
To implement Dead Peer Detection follow these steps:
1. Begin by accessing the USG through SSH.
2. Run the following commands:
set vpn ipsec ike-group <ike group> dead-peer-detection action restart
set vpn ipsec ike-group <ike group> dead-peer-detection interval 30
set vpn ipsec ike-group <ike group> dead-peer-detection timeout 120
mca-ctrl -t dump-cfg
3. The new VPN portion will appear in the correct format. Copy and paste that output into the controller in a previously created config.gateway.json file located in your UniFi Controller. Refer to the config.gateway.json article for more information.
Note: when using a Cloud Key, create the file in /srv/unifi/data/sites/(siteID)/config.gateway.json. If the controller is running on Windows or Linux, this article explains where to save the file.
4. The file will be saved on the next Provision (double check to make sure there are no errors in it!). Read this article on how to trigger a Provision.