S2S VPN Connection Custom IPsec policy with client disconnects and never re-establishes

Question

S2S VPN Connection Custom IPsec policy with client disconnects and never re-establishes

David Boorman 0

We have a customer that is still using IKEv1 protocol and we are doing our best to accommodate. It is an old connection from years back and we've always had intermittent disconnects. The connection went down recently and we tried to get them to move to IKEv2 and the challenge is that they are still supporting legacy connections with other partners. We decided to at least upgrade our Azure resources from Basic Gateway SKU and more modern technology still following Microsoft documentation regarding Phase 1 and Phase 2 options for IKEv1. Worked with the client and we were able to establish a connection and data was flowing again (one-way data flow. the client sends us public health, clinical data. we process and report required data to state and federal registries on their behalf). The connection up time lasted about 24 hours and down again. See below a small section of the IKEDiagnosticLog - IPs, etc. redacted.

{

"resourceid": "/SUBSCRIPTIONS/0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-TEMP-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2158680Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Remote 209.0.0.0:500: Local 52.0.0.0:500: [SEND] Sending QM Packet for tunnel Id 0x5 and tsId 0xEBF: Policy1:Integrity=SHA1 Cipher=AES-CBC-256 LifeTimeSeconds=27000 LifeTimeKB=102400000 ",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0BE0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2159708Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Remote 209.0.0.0:500: Local 52.0.0.0:500: [LCOAL_MSG] DPD is turned off for tunnelId 0x5, iCookie 0xD3BC0EC90F7486AC and rCookie 0x73316A583408D9DB",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0B4E0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2218257Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Peer sent INVALID_ID_INFORMATION notify",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0BE0/RESOURCEGROUPS/SOLANOPHL-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/SOLANOPHL-TEMP-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2218298Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} IkeCleanupQMNegotiation called with error 13825 and flags 1",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0B4E0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2218370Z",

"level": "Error",

"properties": {

"message": "(Error)[Remote] 209.0.0.0:500 [Local] 52.0.0.0:500 [SESSION_ID] {fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} [ConnType] IKEv1-S2S [ICookie] 0xD3BC0EC90F7486AC [RCookie] 0x73316A583408D9DB [TunnelId] 5 [TSId] 3775 [InboundSPI] 0x0 [OutboundSPI] 0x0 [IkeEvent] SA_NEGOTIATION_FAILED For [SA_type] QM_SA [FailureDirection] Inbound [SAEstablished] false [ErrorCode]13825 [ErrorMessage] No policy configured\r\n",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0BE0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2218571Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Remote 209.0.0.0:500: Local 52.0.0.0:500: tunnelId 0x5, iCookie 0xD3BC0EC90F7486AC and rCookie 0x73316A583408D9DB No Phase2 qms left on active connection",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0BE0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2240097Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Remote 209.0.0.0:500: Local 52.0.0.0:500: [RECEIVED][SA_DELETE] Received IKE SA delete message for tunnelid 0x5 ",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0B0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2240141Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} IkeCleanupMMNegotiation called with error 13885 and flags 0",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/00/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2240338Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Remote 209.0.0.0:500: Local 52.0.0.0:500: [LOCAL_MSG] IKE Tunnel closed for tunnelId 0x5 with status Main mode SA lifetime expired or peer sent a main mode delete.",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

} {

"resourceid": "/SUBSCRIPTIONS/0BE0/RESOURCEGROUPS/My-RG/PROVIDERS/MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/My-GW",

"category": "IKEDiagnosticLog",

"operationName": "IKELogEvent",

"time": "2025-03-10T12:02:58.2240514Z",

"level": "Informational",

"properties": {

"message": "SESSION_ID :{fdbcd6ae-6f2a-4b6e-82a4-0c2d2c07ec7a} Not closing tunnel for mm, MM Owns Tunnel = 262144",

"instance": "GatewayTenantWorker_IN_1"

},

"ClientOperationId": "00000000-0000-0000-0000-000000000000",

"CorrelationRequestId": "00000000-0000-0000-0000-000000000000",

"GatewayManagerVersion": "24.10.0.115"

}

Any help would be greatly appreciated.

Thank you,

DAB

Rohith Vinnakota 3,160 Reputation points Microsoft External Staff

2025-03-10T18:06:29.5466667+00:00

Hi @David Boorman,

From the VPN logs shared, I observed the error message "No policy configured" with error code 13825. This issue could arise if the phase 1 and phase 2 policies between Azure and the on-premise VPN device do not match exactly. The log mentions SHA1 and AES-CBC-256 for integrity and cipher, but there may be mismatches in other settings like DH group, lifetime, or authentication method.
Refer this doc: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-error-codes#policy-match-error-error-code-13868-hex-0x362c--no-policy-configured-error-code-13825-hex-0x3601

Additionally, I noticed that DPD (Dead Peer Detection) is turned off. DPD is essential for maintaining the connection by checking if the peer is still available. If it's off, the connection may not recover from transient failures, leading to disconnects. Please verify whether the VPN device has different DPD settings or isn't responding to DPD messages, which could cause the tunnel to drop.

The log indicates that Phase 1 (Main Mode) SA expired, triggering a tunnel tear-down. This could happen if the lifetime settings between Azure and the on-premise VPN device don't match. Azure's default phase 1 lifetime is 28800 seconds, but here it's set to 27000. A different lifetime on the on-premise VPN device might cause a mismatch during rekeying.

The log error about INVALID_ID_INFORMATION might relate to mismatched identity payloads. In IKEv1, the identity (such as IP address or FQDN) must be correctly configured. If Azure expects a specific ID and the on-premise VPN device sends a different one, this could cause the error.

Finally, ensure that the firmware on the on-premise VPN device is updated. Older firmware may have IKEv1 bugs, so please check for any updates from the vendor.

Kindly let us know if the above helps or you need further assistance on this issue.
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-03-11T13:09:21.26+00:00

Hi @David Boorman,

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Rohith Vinnakota 3,160 Reputation points Microsoft External Staff

2025-03-11T20:12:58.1266667+00:00

Hi @David Boorman,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
David Boorman 0 Reputation points

2025-03-12T18:10:05.0833333+00:00

@Venkat Venkat

Thank you for your response. After making changes to the SA Lifetimes the connection is not stable.

This question has been answered, resolved and can be closed. Thanks for all of the responses!
Venkat V 780 Reputation points Microsoft External Staff

2025-03-13T02:32:52.6166667+00:00

Hi @David Boorman

I'm glad that you were able to identify your issue.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Please click "Accept my answer" if the provided information is helpful. This will assist other community members facing similar issues in finding the correct solution.

1 answer

Your answer

Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-03-11T13:09:21.26+00:00

Hi @David Boorman,

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Rohith Vinnakota 3,160 Reputation points Microsoft External Staff

2025-03-11T20:12:58.1266667+00:00

Hi @David Boorman,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
David Boorman 0 Reputation points

2025-03-12T18:10:05.0833333+00:00

@Venkat Venkat

Thank you for your response. After making changes to the SA Lifetimes the connection is not stable.

This question has been answered, resolved and can be closed. Thanks for all of the responses!
Venkat V 780 Reputation points Microsoft External Staff

2025-03-13T02:32:52.6166667+00:00

Hi @David Boorman

I'm glad that you were able to identify your issue.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Please click "Accept my answer" if the provided information is helpful. This will assist other community members facing similar issues in finding the correct solution.

Answer 1

Hi @@David Boorman

I'm glad that you were able to identify your issue.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

As I can see, Rohith Vinnakota has provided an approach for the issue you are facing. Kindly review the suggested approach below.

If the VPN tunnel experiences intermittent disconnections due to Phase 2 mismatches, encryption errors, local ID issues, or DPD problems, it is essential to ensure that the configurations on both ends are aligned.

To resolve the issue, make sure the Security Association Lifetime is configured consistently. For policy-based VPNs, the SA lifetime should be set to 3,600 seconds, while for route-based VPNs, it should be 27,000 seconds. If there is a mismatch, the customer firewall settings must be updated accordingly. Follow the Microsoft's IPsec/IKE Parameters for more details

Another reason for the issue is the encryption and hash algorithm match. Only supported cryptographic combinations should be used, such as AES256 with SHA256, AES256 with SHA1, AES128 with SHA1, or 3DES with SHA1. Any deviation from these configurations may result in failed negotiations and disconnections. More information can be found in Supported IKEv1 Algorithms.

Furthermore, Dead Peer Detection plays a crucial role in maintaining a stable connection. Route-Based VPNs support DPD, and it should be enabled on the customer firewall to ensure the connection remains active. However, policy-based VPNs do not support DPD, meaning that the tunnel must rely on manual reconnection settings to recover from interruptions. More information on this limitation can be found in Microsoft's Policy-Based VPN Documentation.

Lastly, VPN tunnels can disconnect due to Security Association expiry if the IKE rekey settings are not properly synchronized. Both sides should be configured with the same rekey intervals: IKEv1 Phase 1 Lifetime should be 28,800 seconds (8 hours), while IKEv1 Phase 2 Lifetime should be 27,000 seconds (7.5 hours). Ensuring consistency in these values will prevent unexpected tunnel terminations. More details on IKE/IPsec rekeying can be found in Microsoft's documentation.

Please click "Accept my answer" if the provided information is helpful. This will assist other community members facing similar issues in finding the correct solution.

Venkat V 780 Reputation points Microsoft External Staff

2025-03-14T03:24:58.1733333+00:00

Hi @David Boorman

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Share via

S2S VPN Connection Custom IPsec policy with client disconnects and never re-establishes

1 answer

Your answer