Share via

S2S VPN connection keeps disconnecting

Ghulam Abbas 211 Reputation points
2023-03-07T13:13:18.0633333+00:00

Hi, we have 2 S2S VPN connections between Azure and 2 of our on-prem DCs. We have been seeing the connection unavailable error every 30 min that is auto-resolved after 3 min. This is a pattern that we can see under the VPN Connection' resource health option. The resource health on the main virtual network gateway shows no such error and is always shows as healthy. We have setup the health alerts on our connections health but don't receive any alerts for these errors. We have 48 errors in Health history and this shows a consistent patter every 30 min. A screenshot of this is attached here. Can we please get some advice /assistance to find out the root cause of this? We have also tried constant PsPing from one of our DCs server to Azure and the ping doesn't get dropped when this event appears under connection health?vpn-connection-dc01

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,795 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator
    2023-03-08T00:56:43.4766667+00:00

    @Ghulam Abbas

    Thank you for reaching out.

    As the constant PsPing do not get dropped, this can be a false positive alert.

    In order to determine the exact cause, you can try to run a packet capture on you on-prem VPN router and on Azure VPN which can help you get an idea if anything is causing this issue.

    You can follow this documentation to set-up a packet capture on Azure VPN gateway.

    Regarding the health alerts, can you share more information on their set-up as that can help us understand why they were not triggered.

    Please me know if you any additional questions. Thanks!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. msrini-MSFT 9,291 Reputation points Microsoft Employee
    2023-03-13T08:15:07.02+00:00

    Hi,

    To get to the bottom of this issue, I would suggest you to check your IKE logs on your On-Prem devices. Check if specific SAs are failing or check if the QM fails for a specific traffic selectors.

    If it is due to the expire of the QM of a specific SA, then the tunnel will come UP when you send some traffic where the re-negotiation happens again. You can also collect IKE logs from Azure to check what's going on.

    Regards,

    Karthik Srinivas

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.