I have a site-to-site VPN connection that I started having difficulty with about 3 weeks ago after a power outage at the remote site. We were able to get the tunnel reestablished and it has been in a "Connected" state ever since. However, multiple times a day, I will need to use the Azure Portal to "Reset" that individual connection in order to allow traffic to pass. This is problematic because 1)I don't want to keep doing this manually and 2) we have processes that run at night when no one is monitoring to reset the connection. I'm wondering what's going on here to allow the tunnel to remain in a "Connected" state yet packets aren't able to traverse. Would doing a Gateway reset possibly be worth a try? Any feedback would be welcome. Thanks! Brian

Hi Brian, I may not be able to provide you a solution without taking a look at the IKE logs during the time of issue. But I can suggest you possible issues which I have seen in the past : Issue with Quick mode re-key. When the SA lifetime ends for phase 2, Main mode is still up but there could be issue with re-key and due to which the tunnel status shows as connected but the traffic will not pass through. When you bounce the tunnel, you can get the MM re-negotiated which brings back the traffic. Is your On-Prem VPN device is listed in the validated/ supported VPN vendors? ( https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable ) It is recommended to use the validated devices with the version mentioned to avoid any unknown issues. Suggestion, can you try to maximize the phase 2 SA lifetime parameter ? Regards, Karthik Srinivas

Why do I have to keep resetting one of my Virtual Network Gateway site-to-site connections to allow traffic to pass

Accepted answer

msrini-MSFT 9,261 Reputation points Microsoft Employee

2023-10-21T10:08:52.1766667+00:00
Hi Brian,

I may not be able to provide you a solution without taking a look at the IKE logs during the time of issue. But I can suggest you possible issues which I have seen in the past :

Issue with Quick mode re-key. When the SA lifetime ends for phase 2, Main mode is still up but there could be issue with re-key and due to which the tunnel status shows as connected but the traffic will not pass through. When you bounce the tunnel, you can get the MM re-negotiated which brings back the traffic.

Is your On-Prem VPN device is listed in the validated/ supported VPN vendors? (https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable)

It is recommended to use the validated devices with the version mentioned to avoid any unknown issues.

Suggestion, can you try to maximize the phase 2 SA lifetime parameter ?

Regards,

Karthik Srinivas
Please sign in to rate this answer.

1 person found this answer helpful.
Brian Davis 56 Reputation points

2023-10-23T16:55:17.04+00:00

Hi @msrini-MSFT and thanks for your thoughts! I will definitely investigate option number 1. As for number 2, yes, the device is on the list of supported devices, but I'll take a look at the configuration guide in case it may prove fruitful. I'll do some research and report back. Thanks for guiding where to look!

Brian

Brian Davis 56 Reputation points

2023-10-27T17:40:06.37+00:00

So, I've reviewed the device configuration on the remote end, which is a supported Sonicwall device. Keep alives aren't enabled and the "Do not send trigger packet during IKE SA negotiation" setting isn't enabled. So, the first order of business is to get that in-line with what the Azure documentation recommends. I'll report back on the mileage that offers.

Brian

Brian Davis 56 Reputation points

2023-10-31T17:57:27.31+00:00

So, after the changes I mentioned above were made to bring the remote end up to spec, we're still having the same problem. Any other suggestions? Should we try a whole gateway reset? Thanks in advance for any further suggestions.

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2023-11-07T04:13:15.77+00:00

@Brian Davis

You can refer to this documentation before trying to reset the VPN Gateway. I think following troubleshooting steps can also help determine the issue.

Enable Diagnostic logging for the VPN Gateway and check if you can find any issue in IKEDiagnosticLog for the VPN connection.

Perform packet capture for the VPN and see if that helps in troubleshooting the issue.

Thank you!

Brian Davis 56 Reputation points

2023-11-07T17:41:03.4466667+00:00

@ChaitanyaNaykodi-MSFT Thanks for the suggestion to enable IKEDiagnostic logging. I may try this to see what it reveals. I have TunnelDiagnosticLogging enabled, but forgot there are other logs. I'll enable and report back. Thanks again.

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2023-11-08T02:36:16.8233333+00:00

Sounds good, thank you for letting me know.

Brian Davis 56 Reputation points

2023-11-08T16:08:59.1533333+00:00

I think may have been correct with the Quick Mode rekey thought. I enabled IKEDiagnosticLog logging (thanks again @ChaitanyaNaykodi-MSFT for that suggestion) and after reviewing the messages can see a policy mismatch that I believe is occurring after the Quick Mode (Phase 2) SA lifetime expires. In the offer from the remote end, it's expecting Perfect Forward Secrecy set to None and after inspecting my end's configuration, I did not match. I made a change to match and will inspect after the lifetime expires to see if the tunnel remains up. Will report back, hopefully with a positive result.

Brian Davis 56 Reputation points

2023-11-09T16:05:03.1766667+00:00

Just to close the loop on this, it appears that the change was successful. The enhanced visibility given by enabling the IKEDiagnosticLog allowed me to investigate the Quick Mode rekey issue so thanks to @msrini-MSFT and @ChaitanyaNaykodi-MSFT for their help in resolving the issue.

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2023-11-14T00:26:11.3733333+00:00

You are welcome. Glad to know the issue was resolved.
Sign in to comment

Share via

Why do I have to keep resetting one of my Virtual Network Gateway site-to-site connections to allow traffic to pass

0 additional answers