Azure VPN (IKEv2) intermittent

Here to help

Azure VPN (IKEv2) intermittent

With IKEv2 (route-based) Azure VPN Gateway implementation the IIPSEC connection is flapping and being disconnected. Getting following event logs:


May 17 16:13:09 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2796> CHILD_SA net-2{4534} established with SPIs cbc00e6e(inbound) 56318360(outbound) and TS ===
May 17 16:13:03 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2796> IKE_SA remote-peer-2[2796] established between[][]
May 17 16:08:41  time: 1558073318, pkts_recv: 141831, daq_analyzed: 141831  more »
May 17 16:05:24 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2793> CHILD_SA net-2{4532} established with SPIs ce309784(inbound) aa7423e2(outbound) and TS ===
May 17 16:05:14 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2793> IKE_SA remote-peer-2[2793] established between[][]
May 17 16:05:14 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2792> deleting IKE_SA remote-peer-2[2792] between[][]


There is another tunnel between DrayTek Vigore and same Azure VPN gateway which is working fine. 


Anybody having issue like this?




Kind of a big deal

What version of firmware are you running on the MX? There's a thread from earlier this year that discusses a way to work with support to get 15.x to support IKEv2. Most of the changes to it, it looks like you're going to have to work with Support.

Running MX 15.13 and support activate IKEv2 from backend. But issue is the tunnel is not stable. 

Getting noticed

Are you certain the VPN tunnel is getting to Phase 2 IPSEC here? From the piece you've copied all I am seeing is phase 1.

Is there a chance you could snatch us a packet capture of traffice from Internet outbound? Might be some indications there why its not stable.

Unfortunately I don't have the setup any more. Installed strongSwan in a VM and did site-to-site VPN (IKEv1) with Mearki which is working absolty fine. 


looks like after tunnel lifetime the tunnel is removed. If there is traffic going through the tunnel it would keep the tunnel up.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.