Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Azure VPN and Disconnects

Hi,

I have several L2L VPN's to the Microsoft Azure cloud and I am see these randon disconnects once very hours or so, an dfrom the logs it looks like a what is a delete message that is sent from the other side. we dont have any timouts on our side, has anyone seen this type of issue, we have other L2L to other places and no issue there.

Thanks

Everyone's tags (3)
2 REPLIES
New Member

Re: Azure VPN and Disconnects

We are experiencing the exact same issue you are describing.    If we keep an RDP session open, about every 57 minutes it disconnects briefly, then the VPN comes back online.   

In the case we have open with Microsoft, they said to look at whats called Quick mode security association lifetime.    For Azure, its hard coded at an hour.      3600 seconds is what it needs to be on the Cisco side.   Apparently if it is set to more than this, Azure will disconnect.

Here are our settings, however, which seem to indicate we have things set up as they suggest.

crypto map External_map4 13 match address External_cryptomap_12

crypto map External_map4 13 set peer [ip address removed for security of this post]

crypto map External_map4 13 set ikev1 transform-set ESP-AES-256-SHA

crypto map External_map4 13 set security-association lifetime seconds 3600

!

crypto ikev1 policy 3

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

!

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

!

Re: Azure VPN and Disconnects

I have seen lots of these issues.

I've done numerous L2L vpn setups for Microsoft Azure (Which is total crap).

Most if not all these issues are going to be on their side.

Check for mismatched ACLs.

A lot of times, they put the wrong subnet mask on their Interesting Traffic.

Just make sure your lifetimes are correct, and verify with catures etc.

      

If I remember correctly, they also wanted some weird keepalive values as well.

I apologize if this isn't much help, just wanted to give my experience with dealing with Azure.

3193
Views
0
Helpful
2
Replies