Azure P2S VPN Client disconnects frequently

Question

Hi, we have the following problem,

We are using Always on Azure VPN client with Azure Virtual WAN and AD authentication.

The following problem: the VPN connection is interrupted at irregular intervals and then reconnects automatically.
We get an disconnect, with "[Error] Exception: "
My first assumption would be that the internet connection is interrupted, but I have already managed to rule that out.

I tried it with Azure VPN Client Version: 3.1.3.0 and 3.2.0.0

Our VPN Client Log looks like this:

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎43‎:‎41 UTC] PId:[00000904] TId:[00003736] [Azure-VPN-2] [{097804ed-80e4-45f2-b646-xxxxxxxxxxxx}] [Verbose] SendKeepAlivePayload : Skipping Ping. Current: 68791140 , Cached: 68791015, Diff: 125.

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎43‎:‎56 UTC] PId:[00000904] TId:[00003736] [Azure-VPN-2] [{097804ed-80e4-45f2-b646-xxxxxxxxxxxx}] [Verbose] SendKeepAlivePayload : Skipping Ping. Current: 68806125 , Cached: 68805343, Diff: 782.

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎44‎:‎09 UTC] PId:[00000904] TId:[00017556] [Azure-VPN-2] [{097804ed-80e4-45f2-b646-xxxxxxxxxxxx}] [Verbose] Disconnecting...

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎44‎:‎16 UTC] PId:[00000904] TId:[00029936] [Azure-VPN-2] [{235648fd-4bde-4929-8d37-xxxxxxxxxxxx}] [Verbose] Connection Logs Initialized

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎44‎:‎16 UTC] PId:[00000904] TId:[00029936] [Azure-VPN-2] [{235648fd-4bde-4929-8d37-xxxxxxxxxxxx}] [Verbose] Application Id {b8c10d4d-9f95-44ff-8c76-xxxxxxxx}

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎44‎:‎16 UTC] PId:[00000904] TId:[00029936] [Azure-VPN-2] [{235648fd-4bde-4929-8d37-xxxxxxxxxxxx}] [Error] Exception:

[‎29‎.‎09‎.‎2023‎ ‎08‎:‎44‎:‎17 UTC] PId:[00000904] TId:[00008248] [Azure-VPN-2] [{235648fd-4bde-4929-8d37-xxxxxxxxxxxx}] [Verbose] Success Received AAD Credential Token. User: ******@xxxxx.com

Answer 1

We had "random" disconnects. We had pushed our VPN profile out with Intune. We were using the Intune-pushed VPN profile and found that the Intune syncs were causing the disconnects. I asked my users to export the profile, save it, and reimport it, and then use the VPN connection from the manually imported profile. That one works and does not get dropped when an Intune sync occurs. Hope this helps.

Answer 2

Thanks for pointing this out. It helped us together with Microsoft support to have additional check on our Azure VPN profile.

After inspecting the profile again and doing multiple tests, I noticed that it was important for the <RegisterDNS> element to be at the end of the file, initially we had it like this:

<VPNProfile>
   <RememberCredentials>true</RememberCredentials>
   <AlwaysOn>false</AlwaysOn>
   <TrustedNetworkDetection>xyz</TrustedNetworkDetection>
   <RegisterDNS>false</RegisterDNS>
   <PluginProfile>
     xxxx
   </PluginProfile>
 </VPNProfile>

What helped was to move the element <RegisterDNS>false</RegisterDNS> to be located after the </PluginProfile> element so that profile looks like this:

 <VPNProfile>
   <RememberCredentials>true</RememberCredentials>
   <AlwaysOn>false</AlwaysOn>
   <TrustedNetworkDetection>xyz</TrustedNetworkDetection>
   <RegisterDNS>false</RegisterDNS>
   <PluginProfile>
     xxxx
   </PluginProfile>
 <RegisterDNS>false</RegisterDNS>
 </VPNProfile>

I couldn't find it in the GitHub history of the instructions page, but I'm almost sure that this element was located in the beginning of the XML file before, causing the disconnections as it seems that when the VPN profile is imported via Intune, it ends up on the end of the XML file regardless of where is it actually located in Intune XML. Then when Intune is syncing, it "notices" that element is on the end of the profile locally, but its ProfileXML has to on the beginning, causing the VPN profile to be redeployed.

When I updated the profile with adding that element on the end of the file, disconnections have disappeared.