Share via

VPN tunnel occasionally disconnects after replacing local Firewall device

Kayo Shido 30 Reputation points
2026-02-13T17:06:06.9166667+00:00

"We are replacing an old FG-60C firewall device with new FG-60F device. After replicating the configuration from old Firewall to new Firewall, we were able to replace the old device with the new one. S2S VPN tunnel between Azure GW to Local GW seems to be working without any changes on Azure side. However, once or twice a day, traffic for the tunnel will completely drop and refuse to forward. 

Can someone kindly advise on any configuration setting that may be missed?"

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

Answer accepted by question author
  1. Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator
    2026-02-13T17:36:32.52+00:00

    Hi @ Kayo Shido,

    Welcome to Microsoft Q&A Platform.

    As discussed, intermittent S2S VPN disconnections after replacing an on-premises firewall are most commonly caused by an IPsec/IKE lifetime mismatch, DPD mismatch, or a cryptographic parameter mismatch during Security Association (SA) rekey.

    Based on the VPN logs, Phase 1 is failing while Phase 2 is successful.

    After resetting the VPN Gateway, the tunnel is still not disconnecting. Please follow the ‘Reset a gateway’ documentation to reset the VPN gateway.

    You can also check the below configuration if you face any issue

    • Even if the tunnel establishes successfully, mismatched Phase 2 lifetimes (Azure default 27000 seconds) frequently cause traffic drops during renegotiation.
    • DPD timeout values that are too short can cause intermittent tunnel drops during transient latency or packet loss. Microsoft recommends configuring DPD timeout between 30 and 45 seconds to avoid unnecessary renegotiation events.
    • IKE Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.

    UsePolicyBasedTrafficSelectors is an optional parameter on the connection. If you set UsePolicyBasedTrafficSelectors to $True on a connection, it configures the VPN gateway to connect to an on-premises policy-based VPN firewall.

    If still facing an issue Troubleshooting: Azure Site-to-Site VPN disconnects intermittently

    Default IPsec/IKE parameters and IPsec/IKE policy

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.