I am dealing with an IPsec tunnel over a satellite network. One thing I keep seeing in the logs is that Dead Peer Detection keeps dropping the tunnel because it doesn’t get a reply. I see this every few hours.
I suspect that this may be caused by Dead Peer Detection not waiting long enough to hear a reply, as satellite latency can be 1.5 seconds or higher at times. Does anyone know how long RouterOS is hardcoded to wait for a DPD reply before giving up and sending another DPD packet (or dropping the tunnel)? This value isn’t adjustable in any way, is it?
Edit: Packet captures suggest this value is exactly 1s. Can anyone confirm?
I sent an email to Mikrotik Support, and this is what they told me: the time DPD waits for each packet is directly linked to the max-failures setting.
If you set max-failures to 1, it will wait 1 second, once.
If you set max-failures to 3, it will wait 3 seconds for each packet, 3 times
If you set max-failures to 100, in theory it will wait 100 seconds for each packet, 100 times
It doesn’t really make sense to me why these two things would be linked, but additional packet captures do confirm that changing the max-failures setting does appear to effect how long the Mikrotik waits until sending the next R-U-There packet.