Virtual network gateway keeps disconnecting

Question

Virtual network gateway keeps disconnecting

Stuart P 25

Our virtual network gateway has started randomly disconnecting our physical offices from the vpn. This seems to have started since changing to standard public IP address. If I reset the gateway it brings the connections back up. Sometimes they will stay up for a day. Other times it disconnects again after a few minutes. Our routers are Draytek so not officially supported but they have worked like this for years.

Constantly resetting the connection isn't a viable long term solution. Would welcome any other steps I can try to resolve this.

Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-24T13:11:31.2933333+00:00

Hello Stuart P

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Stuart P 25 Reputation points

2025-07-24T14:01:58.3033333+00:00

Hi Ganesh

Is there a way I can find out from Azure why the connections are being dropped? I have had to reset the gateway 5 times today and 7 times yesterday. It isn't sustainable. It has been rock solid since it was set up in 2019. Over that time the only config change was from Basic to Standard public IP address (mandated by Microsoft) and I had to delete and recreate the virtual network gateway. This had to be done in Power Shell because Microsoft have inexplicably removed the Basic SKU from the portal.

It's a site to site so the points about client versions etc don't apply.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-24T19:09:14.6033333+00:00

Hello Stuart P

You can check on the firewall and also check the VPN diagnostic logs.

The TunnelDiagnosticLog table is helpful for examining the historical connectivity status of the tunnel.

Refer: TunnelDiagnosticLog

The Perfect Forward Secrecy feature can cause the disconnection problems. If the VPN device has Perfect forward Secrecy enabled, disable the feature. Then update the virtual network gateway IPsec policy.

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-25T12:10:11.2566667+00:00

Hello Stuart P

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Stuart P 25 Reputation points

2025-07-25T14:50:46.6033333+00:00

I tried to follow the article about tunnel diagnostics and failed. It looks like something we need to set up (https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings) and that article talks about using Diagnostic Settings under Monitoring to do so.

I don't have such an entry under Monitoring. I have Logs, Alerts, Metrics, BGP peers and Recommendations.

I've tried to use the Logs and S2S tunnel connet/disconnect events but that just gives me an error:

'project' operator: Failed to resolve scalar expression named 'remoteIP_s'

Request id: 13fe6ae0-145d-4e17-bc90-01e1ac013d24

Perfect forward secrecy is disabled.

Am on the verge of giving up with this VPN and buying a server to bring the service I need to run in house.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-29T12:28:52.2666667+00:00

Hello Stuart P

I have Initiated a private message with you. Please provide the following details so I can continue troubleshooting the issue.

Accepted answer

1 additional answer

Your answer

Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-24T13:11:31.2933333+00:00

Hello Stuart P

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Stuart P 25 Reputation points

2025-07-24T14:01:58.3033333+00:00

Hi Ganesh

Is there a way I can find out from Azure why the connections are being dropped? I have had to reset the gateway 5 times today and 7 times yesterday. It isn't sustainable. It has been rock solid since it was set up in 2019. Over that time the only config change was from Basic to Standard public IP address (mandated by Microsoft) and I had to delete and recreate the virtual network gateway. This had to be done in Power Shell because Microsoft have inexplicably removed the Basic SKU from the portal.

It's a site to site so the points about client versions etc don't apply.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-24T19:09:14.6033333+00:00

Hello Stuart P

You can check on the firewall and also check the VPN diagnostic logs.

The TunnelDiagnosticLog table is helpful for examining the historical connectivity status of the tunnel.

Refer: TunnelDiagnosticLog

The Perfect Forward Secrecy feature can cause the disconnection problems. If the VPN device has Perfect forward Secrecy enabled, disable the feature. Then update the virtual network gateway IPsec policy.

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-25T12:10:11.2566667+00:00

Hello Stuart P

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Stuart P 25 Reputation points

2025-07-25T14:50:46.6033333+00:00

I tried to follow the article about tunnel diagnostics and failed. It looks like something we need to set up (https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings) and that article talks about using Diagnostic Settings under Monitoring to do so.

I don't have such an entry under Monitoring. I have Logs, Alerts, Metrics, BGP peers and Recommendations.

I've tried to use the Logs and S2S tunnel connet/disconnect events but that just gives me an error:

'project' operator: Failed to resolve scalar expression named 'remoteIP_s'

Request id: 13fe6ae0-145d-4e17-bc90-01e1ac013d24

Perfect forward secrecy is disabled.

Am on the verge of giving up with this VPN and buying a server to bring the service I need to run in house.
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-07-29T12:28:52.2666667+00:00

Hello Stuart P

I have Initiated a private message with you. Please provide the following details so I can continue troubleshooting the issue.

Answer 1

Hello Stuart P

In order to determine the exact cause, you can try to run a packet capture on Azure VPN which can help you get an idea if anything is causing this issue.

You can follow this documentation to set-up a packet capture on Azure VPN gateway.

Since your Draytek routers are not officially supported, ensure that you are having a validated devices per Azure’s compatibility guidelines. Check whether you are using a validated VPN device and operating system version. If the VPN device is not validated, you may have to contact the device manufacturer to see if there is any compatibility issue.
Make sure that the VPN device is correctly configured. For more information, see Editing device configuration samples.
Looks like the updated version (3.4.0.0) might be the reason for this issue. Please refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-versions#azure-vpn-client---windows
The reason might be the current refresh token in the Azure VPN client, acquired from Entra ID, has expired or become invalid. This token is renewed approximately every hour. Entra tenant administrators can extend the sign-in frequency by adding conditional access policies. Please work with your Entra tenant administrators to extend the refresh token expiration interval. For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#vpn-disconnect
Ensure that the keep-alive settings on your Draytek routers are configured correctly. Adjusting the keep-alive interval can help maintain the connection. For example, set the keep-alive interval to a lower value (e.g., 10 seconds) to ensure that the connection remains active.
Make sure that the virtual network, subnets and, ranges in the Local network gateway definition in Microsoft Azure are same as the configuration on the on-premises VPN device. Also, Verify that the Security Association settings match.
The virtual network gateway has limit of 200 subnet Security Association Limitations If the number of Azure virtual network subnets multiplied times by the number of local subnets is greater than 200, you might see sporadic subnets disconnecting.
If the Internet facing IP address of the VPN device is included in the Local network gateway address space definition in Azure, you may experience sporadic disconnections.

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.

Answer 2

Stuart P 25

VPN now seems to have stabilised. Seems there was a fault at the Azure end, with the Basic virtual network gateway SKU, which has been resolved.

Share via

Virtual network gateway keeps disconnecting

1 additional answer

Your answer