Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
224 questions
Virtual Wan Site to Site VPN Tunnel stops working after a couple days
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 94%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Diego Fernandes Spinola Castro
0
Reputation points
Hello, i have a VPN site-to-site tunel between virtual wan and a fortigate appliance.
Both sides show the tunel as UP and Connected, traffic flows in both directions and after a couple days it stops.
Local Network: 172.24.8.0/21
Remote Network: 172.17.16.0/22
1 - We have Virtual Hub and Azure Firewall with routing intent enabled for internet and private traffic
2 - packet capture confirms that packets are coming from fortigate and firewall logs show the same traffic being Allowed into network rules but i can´t see the traffic going back to vpn gateway.
- Inbound Traffic
Traffic from 172.17.19.127 (remote) to 172.24.11.4 (local) port 5060 (sip)
Packet capture:
Firewall Network Rule Hit:
- Outbound Traffic
Traffic from 172.24.13.16 (local) and 172.24.9.4 (local) to 172.17.19.127 port 5060
At the same time frame the packets never reach the vpn gateway:
Traceroute:
The only way to get the traffic back is reseting the VPN Gateway, as i already said the traffic goes back to normal for a couple days and then stops again.
{count} votes
-
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee2023-09-20T04:23:18.26+00:00 @Diego Fernandes Spinola Castro
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are using a vWAN setup with Azure Firewall routing intent enabled and the VPN Connection stops working after couple of days.
This seems odd.
The packet capture you have shared.
- Was that collected from your OnPrem VPN Device?
- Or from the VPN Gateway packet capture?
From the logs, Once the issue starts,
- Is OnPrem to Azure connection working?
- i.e, if you TCP from 172.17.19.127 (remote) to 172.24.11.4 (local), are you getting a response?
- Or it is the case that you are even seeing Reply (SYN ACK) packets from Azure to OnPrem?
- Can you please check the virtual hub effective routes and see if the nextHop for OnPrem range is being populated as "VPN_S2S_Gateway" or not?
Also, I would suggest you to check the Traffic selectors once the issue starts.
- Make sure you enable diagnostic setting for the vWAN VPN Gateway.
- Specifically check
Cheers,
Kapil
-
Diego Fernandes Spinola Castro 0 Reputation points
2023-09-20T10:29:37.9133333+00:00 - The packet capture was from VPN Gateway Capture.
- I don´t even see Reply (SYN ACK) packets from Azure to OnPrem.
- Here are the effective routes.
-
- -- I would suggest you to check the Traffic selectors once the issue starts. Do you mean checking the logs? I´m attaching the IkeDiagnostics logs for that tunnel. ikediagnostics.log
--
-
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee
2023-09-21T05:46:01.2566667+00:00 @Diego Fernandes Spinola Castro
I take it that the logs/route were captured while the issue was happening.
- I can see the Routes 172.17.19.0/24 is being sent to the S2S Tunnel
- And also in the logs, the negotiation is happening as expected.
To troubleshoot the exact issue, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Cheers,
Kapil
-
Diego Fernandes Spinola Castro 0 Reputation points
2023-09-21T13:55:30.03+00:00 Hello @KapilAnanth-MSFT thank you for the answer, I'm posting here since my MS service provider is not helping on opening tickets.
The partner is TD Synnex/TechData and i´ve tried a couple times opening a ticket without success.
How can you help me?
-
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee
2023-09-21T17:34:40.75+00:00 @Diego Fernandes Spinola Castro
If you have a CSP subscription, then I am afraid only your CSP can help you with raising support incidents.
We will not be able to enable Support from our end as these subscriptions are managed by your CSP.
Cheers,
Kapil
Sign in to comment
Sign in to answer