This article includes steps on how to implement Dead Peer Detection, which can be a solution for dead VPN tunnels that won't restart on their own.
NOTES & REQUIREMENTS: This article covers advanced configuration, using the config.gateway.json file, and should only be performed by advanced users. Read how to create the config.gateway.json in this article before you begin.
Dead Peer Detection is done automatically for Auto VPNs starting with UniFi Network Controller version 5.7.8. Some users might still need to follow these steps for manual IPsec VPN.
Table of Contents
A solution for dead VPN tunnels that won't restart on their own is implementing DPD (Dead Peer Detection). When the UniFi Security Gateway (USG or USG-PRO-4) changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. DPD will attempt to recreate the tunnel rather than trying to revive the dead peer.
Steps: How to Implement DPD
A config.gateway.json file will be needed for this implementation. Read this article to learn how to create one. If you suspect you have a dead peer, you can SSH into the USG and run the command
show vpn ipsec sa. If you are indeed dealing with a dead peer it will appear as being "down". (Need help connecting via SSH? Read this article on the subject).
To implement Dead Peer Detection follow these steps:
1. Begin by accessing the USG through SSH.
2. Run the following commands:
set vpn ipsec ike-group <ike group> dead-peer-detection action restart
set vpn ipsec ike-group <ike group> dead-peer-detection interval 30
set vpn ipsec ike-group <ike group> dead-peer-detection timeout 120
mca-ctrl -t dump-cfg
| User Tip: To find the <ike group> name, either use the
3. The new VPN portion will appear in the correct format. Copy and paste that output into the controller in a previously created config.gateway.json file located in your UniFi Network Controller. Refer to the config.gateway.json article for more information. When using a Cloud Key, create the file in /srv/unifi/data/sites/(siteID)/config.gateway.json. If the controller is running on Windows or Linux, this article explains where to save the file.