• Check if the Security Association is established between the 2 sides or not and also if the status for SA is flapping by executing the CLI command below multiple times separated by short intervals:
  
  

diagnose vpn ike gateway list name <phase1 name>

• Then it is possible to check if the ESP packets are being sent and received on the firewall with the use of the sniffer command:
  
  

diagnose sniffer packet any "host <vnet public ip> and esp" 4 0 l

• If traffic is bidirectional then it is assumed that the negotiation is not successful and it is possible to start with the usual comparison between parameters. Otherwise, it is possible to check the events of this traffic on the FortiGate side using the IKE debug:
  
  

diagnose vpn ike log-filter dst-addr4 <vnet public ip>

diagnose debug application ike -1

diagnose debug enable

To stop the debugs, run the following commands:

diagnose debug disable
diagnose debug reset

Note:

Starting v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnosevpn ike log filter rem-addr4'.

• One step to troubleshoot further can be done by setting up the IPsec tunnel in 'passive' mode on the FortiGate side while changing the Vnet server to use the 'initiator only' option instead of the default option:
  
  

config vpn ipsec phase1-interface

    edit <phase1 name>

        set passive-mode enable

end

• A key factor to look for, assuming both sides have matching configurations, is to set the tunnel matching the recommended settings from Microsoft, which can be found on the following link: Default IPsec/IKE parameters
• Another possible change is to use default addresses for phase2 selectors on both the FortiGate and Vnet servers.
• In case of an issue with IPsec failover in the HA cluster, then check the Floating IP on Azure and try to disable it.