Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - USG VPN: How to Implement Dead Peer Detection


This article includes steps on how to implement Dead Peer Detection, which can be a solution for dead VPN tunnels that won't restart on their own. This article applies to UniFi Security Gateways exclusively.

NOTES & REQUIREMENTS: This article covers advanced configuration, using the config.gateway.json file, and should only be performed by advanced users. Read how to create the config.gateway.json in this article before you begin.
Dead Peer Detection is done automatically for Auto VPNs on current UniFi Network versions. Some users might still need to follow these steps for manual IPsec VPN.

Table of Contents

  1. Introduction
  2. Steps: How to Implement DPD
  3. Related Articles


Back to Top

A solution for dead VPN tunnels that won't restart on their own is implementing DPD (Dead Peer Detection). When the UniFi Security Gateway (USG or USG-PRO-4) changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. DPD will attempt to recreate the tunnel rather than trying to revive the dead peer.

Steps: How to Implement DPD

Back to Top

A config.gateway.json file will be needed for this implementation. Read this article to learn how to create one. If you suspect you have a dead peer, you can SSH into the USG and run the command show vpn ipsec sa. If you are indeed dealing with a dead peer it will appear as being "down". (Need help connecting via SSH? Read this article on the subject).

To implement Dead Peer Detection follow these steps:

1. Begin by accessing the USG through SSH. 

2. Run the following commands:

set vpn ipsec ike-group <ike group> dead-peer-detection action restart
set vpn ipsec ike-group <ike group> dead-peer-detection interval 30
set vpn ipsec ike-group <ike group> dead-peer-detection timeout 120
mca-ctrl -t dump-cfg
User Tip:To find the <ike group> name, either use the tab or ? key when typing in the command (i.e. set vpn ipsec ike-group ?). Alternatively, type the command show vpn ipsec ike-group.

Click here to expand and see an example of what the config.gateway.json should look like. Be sure to double check the name is correct according to the user tip above!

    "vpn": {
        "ipsec": {
            "ike-group": {
                "IKE0": {
                    "dead-peer-detection": {
                        "action": "restart",
                        "interval": "30",
                        "timeout": "120"

3. The new VPN portion will appear in the correct format. Copy and paste that output into UniFi Network in a previously created config.gateway.json file located in your UniFi Network application. Refer to the config.gateway.json article for more information. When using a Cloud Key, create the file in /srv/unifi/data/sites/(siteID)/config.gateway.json. If the application is running on Windows or Linux, this article explains where to save the file.

4. The file will be saved on the next provision (double check to make sure there are no errors in it, you can run the text through a json validator such as JSON Formatter).

Related Articles

Back to Top

UniFi - USG Advanced Configuration

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
27 out of 40 found this helpful