S2S IPsec traffic stops 1 hour after reset

Larry 1 Reputation point
2021-09-03T01:48:34.71+00:00

I have VNet with a VGateway (VPN Type: Route-Based) with multiple Site-to-Site IPsec IKEv2 connections. All of the connections always show "Connected" on the VGateway and on the remote devices. When I first establish each connection, they work perfectly for exactly 1 hour/3600 seconds. After 1 hour, the connections are still active but no traffic is allowed.

If I reset a single tunnel in Azure, it will start working immediately for exactly 1 hour, but any tunnels not reset will continue to not work.

If I reset the VGateway in Azure, all tunnels will start working immediately for exactly 1 hour.

On the remote devices:

  1. Phase1 Lifetime is 28800
  2. Phase2 Lifetime is 3600
  3. DPD - I tried 45 and 120 (I ensured the DPD matched on both ends)

On the VGateway connections, I tried setting the "Connection Mode" to "Default" and "InitiatorOnly" with the same results. The connections' configurations are:

  1. Use Azure Private IP Address = Disabled
  2. BGP = Disabled
  3. IPsec/IKE policy = Disabled
  4. Use policy based traffic selector = Disabled
  5. DPD timeout in seconds = Currently 120, but I have tried 45 as well and ensure matching settings in Azure and Remote Device.
  6. Connection Mode = Default
  7. IKE Protocol = IKEv2
  8. Ingress NAT Rules = 0 selected
  9. Egress NAT Rules = 0 selected

The VGateway SKU is VpnGw2 and active-active mode is disabled.

I don't know what to try next.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,423 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,991 Reputation points Microsoft Employee
    2021-09-09T06:21:37.837+00:00

    Hello anonymous user-5906, apologies for the delayed response here.

    Depending on the scenario mentioned above you can try some additional steps.

    1. As per the troubleshooting guide can you please check if you are using a validated VPN device and operating system version. There might be any incompatibility issue which might be the cause.
    2. You can set-up diagnostic logging for your VPN gateway and check for TunnelDiagnosticLog and IKEDiagnosticLog to see if anything in particular is causing this issue.
    3. A packet capture on both sides of the tunnel might help in better debugging the issue. You can refer to this documentation as well.

    If above does not help in resolving the issue and given its uniqueness, I would suggest that you create a support request for the same where a support engineer can have a screen share session to pin point the exact issue. If you have a support plan you may file a support ticket. If you do not have a support plan please let me know. Thank you!

    0 comments No comments