Always on VPN, occasionally "New policy invalidated SAs formed with old policy"

Question

The short summary:

AoVPN works great in general. It's about 2k users. We use IKEv2 with both DT and UT-tunnel. We use F5 for LB and SRV2019.

Occasionally, I hear from a handful of users "I needed to reconnect a few times before it worked..". I assume it correlates to too large UDP packets and the client might already been authenticated through NPS and the persistance routes behind NAT-T is already established, hence it needs to timeout before the user could try again?
When I think about it, it sounds more like an issue with the DT-Tunnel rather than UT, since DT connects before the user logs on.

I have not traced the traffic yet for these particular events since it's pretty hard because you don't know when it will happen.
I might need to setup a 24/7 wireshark to catch any of these events but was wondering if someone found any details that I've might have missed?

Answer 1

Hello ABJ,

Before starting with the network traces, I can recommend you check logs during the time of connection failed, in order to retrieve more information why the connection could not be established.

You have the reference for the files involved here:
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting#logs

---------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--