Azure site-to-site IPSec delete requests

Question

We have recently setup a site-to-site VPN tunnel with Azure from our 1200D's (HA).

Traffic (ping) is working to the Azure VPN and back. No problems there.

The problem is that when there is no traffic, VPN is brought down by request of Azure as it seems.

2016-06-09 08:37:38 ike 1: comes azure.external.ip.adress:500->our.external.vpn.ip:500,ifindex=36....
2016-06-09 08:37:38 ike 1: IKEv2 exchange=INFORMATIONAL id=4b56657b5863a222/69ad09fb52ca1223:0000026f len=72
2016-06-09 08:37:38 ike 1: in 4B56657B5863A22269AD09FB52CA12232E2025080000026F000000482A00002C42295E2308A0A4C88E6C7BC2262317A57039EAD293B191BDEA59F36F11032B19638DD7399329F9B2
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: dec 4B56657B5863A22269AD09FB52CA12232E2025080000026F0000002C2A0000040000000C0304000190ACD1C8
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: received informational request
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: processing delete request (proto 3)
2016-06-09 08:37:38 ike 1:VPN-Azure: deleting IPsec SA with SPI 90acd1c8
2016-06-09 08:37:38 ike 1:VPN-Azure:VPN-Azure-MGMT: deleted IPsec SA with SPI 90acd1c8, SA count: 0
2016-06-09 08:37:38 ike 1:VPN-Azure: sending SNMP tunnel DOWN trap for VPN-Azure-MGMT
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sending delete ack
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: enc 0000000C0304000114A55E4603020103
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: out 4B56657B5863A22269AD09FB52CA12232E2025200000026F000000482A00002CFD94B85D2F62ECFAFF2A1DAD36F235CD87C6769B4D4E96A3C7DF2EBE86B41B79AB21FB7776C5E600
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sent IKE msg (INFORMATIONAL_RESPONSE): our.external.vpn.ip:500->azure.external.ip.adress:500, len=72, id=4b56657b5863a222/69ad09fb52ca1223:0000026f
2016-06-09 08:37:39 ike 1:VPN-Azure: link is idle 36 our.external.vpn.ip->azure.external.ip.adress:0 dpd=1 seqno=350e

Phase2 selectors

    edit "VPN-Azure-Servers1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.mgmt.network 255.255.254.0
    next
    edit "VPN-Azure-Servers2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-MGMT-SRV1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers1-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers2-SRV1"
        set phase1name "VPN-Azure"
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
end

MrSinners · Answer

Hello,

Have you followed the guidelines as mentioned by azure listed at:

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

The IKEv2 config mentions no life time based upon KB, while it's configured on your FG.

Can you also post your phase 1 config?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded