VPN Egress Port changed after passing traffic to Azure Load Balancer

Been troubleshooting intermittent FortiClient VPN user issue for MONTHS. Finally caught it in the act with a TAC and MS Support. Still no answer so I'm sharing the oddity here.

VPN Clients have traffic stop until DPD times them out. This happens to any user, on any ISP, at any time of day.

Client is on Port 61020 to port 4500 on the Firewall... Typical NAT-T session.

They were fully connected and working, then... Traffic stops.

Here's the output of the sniffer 4 0 1 capture from the Client side FW:

2026-03-09 14:47:24.661204 port3 out HQ-IP.61020 -> AZ-IP.4500: udp 344
2026-03-09 14:47:24.688854 port3 in AZ-IP.4500 -> HQ-IP.61020: udp 536
2026-03-09 14:47:24.733526 port3 out HQ-IP.61020 -> AZ-IP.4500: udp 88
2026-03-09 14:47:25.441206 port3 in AZ-IP.4500 -> HQ-IP.61020: udp 104
2026-03-09 14:47:25.441821 port3 out HQ-IP.61020 -> AZ-IP.4500: udp 104
2026-03-09 14:47:26.451448 port3 in AZ-IP.57802 -> HQ-IP.61020: udp 104 WTF?
2026-03-09 14:47:27.963936 port3 out HQ-IP.61020 -> AZ-IP.4500: udp 1
2026-03-09 14:47:29.415567 port3 out HQ-IP.61020 -> AZ-IP.4500: udp 168

Looking at the Azure based VM. Packets are still egressing on port 4500...

Has anyone ever seen this, and most importantly, know how to resolve it?