Support Center > Search Results > SecureKnowledge Details
Dead Peer Detection issues in IP VPN gateway
  • When the Dead Peer Detection option is enabled in Nokia IP VPN gateway, the connections from Nokia Mobile VPN Clients will be prematurely disconnected when the client is in the idle state and there's no application traffic sent in several minutes. The IKE and IPSec SA sessions are disconnected even though there's still a lot of the session lifetime left. E.g. when the IKE lifetime is 8h and IPSec lifetime 1h, the SA sessions may be disconnected already after around 10-15 minutes.

    The IP VPN gateway shows in some cases the following error message on the console:

    (IKE)-ERR: oakley_respond_dpd: Out of order their DPD sequence 11d12e6a (expecting 11d12e6b)

    The Mobile VPN Client users need to do extra reauthentications in this situation to re-establish the IKE and IPSec sessions. The premature disconnection will cause issues also for the applications that are waiting for incoming connections in the mobile device (e.g. VoIP SIP Client) because the application connections cannot be established from the gateway side.


This is an issue in Nokia IP VPN gateway versions v6.3-110 and earlier. The Dead Peer Detection (DPD) feature doesn't function properly with Nokia Mobile VPN Clients and 3rd party VPN gateways.


When the feature is enabled, the two sides will send DPD packets to determine that both ends are still active. The DPD packets sent by the IP VPN gateway don't, however, fully conform to the specifications defined in the Dead Peer Detection RFC3706 and are not accepted by the Mobile VPN Client. After a while, if there's no application traffic in several minutes, the Mobile VPN Client will tear down the IKE and IPSec SA tunnels because the client hasn't received any valid DPD packets from the gateway side.


To avoid the problem, the Dead Peer Detection feature should be disabled in Nokia IP VPN gateway when the Nokia Mobile VPN Clients and 3rd party VPN gateways connect to the IP VPN gateway. By default, the feature is enabled. The Dead Peer Detection feature can be disabled via the VPN Manager in the following way:


  • Go to VPN Global Properties / Policy menu
  • Disable the option "Enable Dead Peer Detection"
  • Apply the changes to the gateway
Imported from Nokia support database

Give us Feedback
Please rate this document