@KapilAnanth-MSFT I have done as you requested and made our side Responder-Only with disabled traffi selectors. Here's an excerpt from the IKE Diagnostic Log:
1- Process Payload Notify - NotifyType = 16393","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
2- [Received] [CHILD_SA QM_REKEY] Ipsec rekey request with iCookie 0x2F68449C28660B60 and rCookie 0xFB25C3C86399DF9B For Old IPSECSA spi 0xDF33E667","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
3- Received Traffic Selector payload request- [Tsid 0x71c1 ]Number of TSIs 1: StartAddress 10.1.0.0 EndAddress 10.1.255.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 10.10.0.0 EndAddress 10.10.255.255 PortStart 0 PortEnd 65535 Protocol 0","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
4- [SEND] Proposed Traffic Selector payload will be (Final Negotiated) - [Tsid 0x71c1 ]Number of TSIs 1: StartAddress 10.1.0.0 EndAddress 10.1.255.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 10.10.0.0 EndAddress 10.10.255.255 PortStart 0 PortEnd 65535 Protocol 0","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
5- [RECEIVED]Received IPSec payload: Policy1:Cipher=AES-CBC-256 Integrity=SHA256 PfsGroup=PfsNone ","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
6- [SEND][CHILD_QM_SA] Sending CREATE_CHILD QM_SA response message for tunnelId 0x36 and tsId 0x71C1","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
7- [SEND]Sending IPSec policy Payload for tunnel Id 0x36, tsId 0x71C1: Policy1:Integrity=SHA256 Cipher=AES-CBC-256 ","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
8- [SEND][CHILD_QM_SA] Sending CREATE_CHILD QM_SA request message for tunnelId 0x36 and tsId 0x71C2","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
9- [SEND]Sending IPSec policy Payload for tunnel Id 0x36, tsId 0x71C2: Policy1:Integrity=SHA256 Cipher=AES-CBC-256 ","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
10- [SEND] Proposed (Data Triggered) Traffic Selector payload will be- Number of TSIs 1: StartAddress 10.10.0.0 EndAddress 10.10.255.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 169.254.21.2 EndAddress 169.254.21.2 PortStart 0 PortEnd 65535 Protocol 0","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
11- Process Payload Notify - NotifyType = 38","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
12- [RECEIVED][NOTIFY] Received Notify Message - Traffic Selectors Unacceptable [IKEV2_TS_UNACCEPTABLE]","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
What I think I'm seeing here is in line 3 they are sending a TS proposal, and in line 4 we are agreeing to it. However, in line 10 we are sending another TS proposal and they are rejecting it in line 12. Does that seem accurate? Why would Azure be requesting the TS for their BGP peer alone?
Also, the above interaction between our gateways only happens once or twice an hour. But, every 5 seconds or so I get the following:
[SEND][CHILD_QM_SA] Sending CREATE_CHILD QM_SA request message for tunnelId 0x36 and tsId 0x755E","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
[SEND]Sending IPSec policy Payload for tunnel Id 0x36, tsId 0x755E: Policy1:Integrity=SHA256 Cipher=AES-CBC-256 ","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
[SEND] Proposed (Data Triggered) Traffic Selector payload will be- Number of TSIs 1: StartAddress 10.10.0.0 EndAddress 10.10.255.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 169.254.21.2 EndAddress 169.254.21.2 PortStart 0 PortEnd 65535 Protocol 0","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
Process Payload Notify - NotifyType = 38","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
[RECEIVED][NOTIFY] Received Notify Message - Traffic Selectors Unacceptable [IKEV2_TS_UNACCEPTABLE]","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
IkeCleanupQMNegotiation called with error 13999 and flags 1","instance":"GatewayTenantWorker_IN_1"}, "ClientOperationId": "00000000-0000-0000-0000-000000000000", "CorrelationRequestId": "00000000-0000-0000-0000-000000000000", "GatewayManagerVersion": "23.2.100.14"}
Which is the same thing that seems to kill the process in the first interaction. IDK, maybe those are unrelated, but it's filling the log. And again, I'm configured as ResponderOnly.
Another thing I'm curious about is our custom APIPA address and whether it's actually getting applied. As I showed in our VNG config above, the VNG says it has a BGP peer IP Address of 10.10.2.254, but also a Custom Azure APIPA BGP IP address of 169.254.21.3. How do I know if the custom IP is actually being applied? I can't find either of those IP addresses in any of the logs.