Site to Site VPN stops passing traffic

Question

Site to Site VPN stops passing traffic

Kevin Beccaris 15

VPN tunnel establishes and passes traffic.
VPN tunnel stays up but stops passing traffic
believe the tunnel stops passing traffic when lifetimes are reached; won't rekey
we moved from ikev2 to ikev1 and had some better results however the tunnel stops passing traffic
we upgrade the on-premise ASA to v9.8.4.46 and did not help

really just looking for Azure troubleshooting guidance

ipsonuser 0 Reputation points

2024-08-05T15:07:14.26+00:00

Palo Alto Networks Firewall here , exactly the same problem.
We have about 20+ PAN firewalls and each Firewall = customer
Each customer has VPN to Azure.
None of them experience the issue.

Here we have setup yet another one and we struggle with the same issue.
Firewall VPN shows as up,
Azure end shows as connected.
all RDP/PING suddenly stops and no traffic flows through the tunnel.
The only way to get this running again is to re-negotiate manually which is silly.

We tried IKE v1 , IKEv2
There are no differences between configuration. Its just yet another tunnel to setup.
Spoken with one of the MSPs in Ireland.
They also have one customer like this connected to FortiGate.
They have to restart VPN manually 2-3 times per day and they have dozens of fortigates.

1 answer

Your answer

ipsonuser 0 Reputation points

2024-08-05T15:07:14.26+00:00

Palo Alto Networks Firewall here , exactly the same problem.
We have about 20+ PAN firewalls and each Firewall = customer
Each customer has VPN to Azure.
None of them experience the issue.

Here we have setup yet another one and we struggle with the same issue.
Firewall VPN shows as up,
Azure end shows as connected.
all RDP/PING suddenly stops and no traffic flows through the tunnel.
The only way to get this running again is to re-negotiate manually which is silly.

We tried IKE v1 , IKEv2
There are no differences between configuration. Its just yet another tunnel to setup.
Spoken with one of the MSPs in Ireland.
They also have one customer like this connected to FortiGate.
They have to restart VPN manually 2-3 times per day and they have dozens of fortigates.

Answer 1

@Kevin BeccarisThank you for reaching out. I understand you are facing issues with you site-site Azure VPN Gateway where the even though the tunnel is up the traffic stops passing through.In order to pin-point the issue, I think it will help if you could follow the troubleshoot instructions below :

Enable Diagnostic logging for the VPN Gateway and check if you can find any issue in TunnelDiagnosticLog for the VPN connection.
Perform a packet capture on your VPN Gateway to get to know if the traffic is reaching the VPN Gateway or if the issue is related to the on-prem device.
Check if the on-prem device is listed in the validated devices list here for Azure VPN.
You can also try following the troubleshooting document here and see if that helps in resolving the issue.

Please let me know if you have any additional questions. Thank you!

Share via

Site to Site VPN stops passing traffic

1 answer

Your answer