How to get Ipsec Dead Peer Detection working?

Hello.

I'm trying to archive Ipsec STS failover using DPD.

there is three vSRX (12.1X47-D20.7) in my test lab.

1. top router (routing between two routers)

Interfaces

set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.254/24

2. first IPSec router with RPM probe and ip-monitoing

set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 preferred
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.1.1/24
set interfaces st0 unit 1 description "IPsec to SRX2"
set interfaces st0 unit 1 family inet address 10.10.0.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254
set routing-options static route 10.254.2.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX2 mode aggressive
set security ike policy ike_pol_STS_to_SRX2 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX2 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX2 ike-policy ike_pol_STS_to_SRX2
set security ike gateway gw_STS_to_SRX2 address 192.168.10.1
set security ike gateway gw_STS_to_SRX2 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX2 proposal-set compatible
set security ipsec vpn STS_to_SRX2 bind-interface st0.1
set security ipsec vpn STS_to_SRX2 ike gateway gw_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 ike ipsec-policy ipsec_pol_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone STS_Zone interfaces st0.1
set services rpm probe DG_1_254 test PING_1_DG target address 192.168.1.254
set services rpm probe DG_1_254 test PING_1_DG probe-count 10
set services rpm probe DG_1_254 test PING_1_DG probe-interval 5
set services rpm probe DG_1_254 test PING_1_DG test-interval 5
set services rpm probe DG_1_254 test PING_1_DG thresholds successive-loss 5
set services ip-monitoring policy GW_failover match rpm-probe DG_1_254
set services ip-monitoring policy GW_failover then preferred-route route 0.0.0.0/0 next-hop 192.168.2.254

2. second IPsec router with DPD

set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.2.1/24
set interfaces st0 unit 1 description "IPsec to SRX1"
set interfaces st0 unit 1 family inet address 10.10.0.2/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.254
set routing-options static route 10.254.1.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX1 mode aggressive
set security ike policy ike_pol_STS_to_SRX1 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX1 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX1 ike-policy ike_pol_STS_to_SRX1
set security ike gateway gw_STS_to_SRX1 address 192.168.1.1
set security ike gateway gw_STS_to_SRX1 address 192.168.2.1
set security ike gateway gw_STS_to_SRX1 dead-peer-detection always-send
set security ike gateway gw_STS_to_SRX1 dead-peer-detection interval 10
set security ike gateway gw_STS_to_SRX1 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX1 proposal-set compatible
set security ipsec vpn STS_to_SRX1 bind-interface st0.1
set security ipsec vpn STS_to_SRX1 ike gateway gw_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 ike ipsec-policy ipsec_pol_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match source-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match destination-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone STS_Zone interfaces st0.1

while 192.168.1.254 (top router) is available IPsec is working fine.

but when I'm emulating failover by deleting 192.168.1.254 IP address

delete interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24

IPsec tunnel goes dwn and never came up.

ip-monitoring and route change is working at the first SRX.

root@SRX1> show services ip-monitoring status

Policy - GW_failover (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    DG_1_254               PING_1_DG       192.168.1.254    FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         192.168.2.254    APPLIED

it can ping 192.168.10.1 (the second SRX) and the second SRX can ping 192.168.2.1 (the first SRX), but tunnel is down.

root@SRX2> show security ipsec security-associations
  Total active tunnels: 0

root@SRX2> show security ike security-associations

root@SRX2> show security ipsec inactive-tunnels
  Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 1
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  131073 500   2      0      600a29    192.168.2.1      DPD failover

root@SRX2>

after reenabling 192.168.1.254 at the top router, SRX1 ip-monitoring switch back route

root@SRX1> show services ip-monitoring status

Policy - GW_failover (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    DG_1_254               PING_1_DG       192.168.1.254    PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         192.168.2.254    NOT-APPLIED

but IPsec tunnel is still down.

what is wrong with this config?