https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/134444#M11 <P>Hi,</P><P>&nbsp;</P><P>l had a very interesting experience with Azure VPN. Few&nbsp;things to check check:</P><P>&nbsp;</P><P>1) PA has to be in passive mode so only Azure can initiate a VPN</P><P>&nbsp;</P><P>2) Suggested config:</P><P>&nbsp;</P><P>IKEv2<BR />Diffie-Hellman Group Group 2<BR />Authentication Method SHA1<BR />Encryption Algorithms AES256, 3DES<BR />Phase 1 Security Association (SA) Lifetime (Time) 28,800 seconds</P><P>&nbsp;</P><P>CHILD_SA<BR />Encryption Algorithms AES128, 3DES<BR />Authentication Method SHA1<BR />Phase 2 Security Association (SA) Lifetime (Time) 5,400 (Azure side 3,600 seconds)<BR />Perfect Forward Secrecy (PFS) no-pfs</P><P>&nbsp;</P><P>3) Disable "Liveness Check"</P><P>&nbsp;</P><P>&nbsp;</P><P>More info here:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/td-p/98936/page/3" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/td-p/98936/page/3</A></P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Fri, 23 Dec 2016 11:57:23 GMT TranceforLife 2016-12-23T11:57:23Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/133949#M10 <P>Hi at all!</P><P>I have a problem with a VPN with Azure, after 50 minutes circa the VPN stops working and doesn't restart.</P><P>I checked the configuration and everything is right.</P><P>This message appears in logs: "IKEv2 child SA negotiation is failed message lacks KE payload".</P><P>&nbsp;</P><P>Can you help me to resolve this issue?</P><P>&nbsp;</P><P>Regards,</P><P>Daniele</P> Wed, 21 Dec 2016 10:15:56 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/133949#M10 DKanta 2016-12-21T10:15:56Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/134444#M11 <P>Hi,</P><P>&nbsp;</P><P>l had a very interesting experience with Azure VPN. Few&nbsp;things to check check:</P><P>&nbsp;</P><P>1) PA has to be in passive mode so only Azure can initiate a VPN</P><P>&nbsp;</P><P>2) Suggested config:</P><P>&nbsp;</P><P>IKEv2<BR />Diffie-Hellman Group Group 2<BR />Authentication Method SHA1<BR />Encryption Algorithms AES256, 3DES<BR />Phase 1 Security Association (SA) Lifetime (Time) 28,800 seconds</P><P>&nbsp;</P><P>CHILD_SA<BR />Encryption Algorithms AES128, 3DES<BR />Authentication Method SHA1<BR />Phase 2 Security Association (SA) Lifetime (Time) 5,400 (Azure side 3,600 seconds)<BR />Perfect Forward Secrecy (PFS) no-pfs</P><P>&nbsp;</P><P>3) Disable "Liveness Check"</P><P>&nbsp;</P><P>&nbsp;</P><P>More info here:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/td-p/98936/page/3" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/td-p/98936/page/3</A></P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Fri, 23 Dec 2016 11:57:23 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/134444#M11 TranceforLife 2016-12-23T11:57:23Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/134960#M12 <P>Hi Myky,</P><P>&nbsp;</P><P>Thank for your suggestion, we solved it some days ago checking on Microsoft site (<A href="https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices" target="_blank">https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices</A>), we used 'no-pfs' instead of DH group 2 on IPSEC Crypto key.</P><P>&nbsp;</P><P>Thank you again!</P><P>&nbsp;</P><P>Regards,</P><P>Daniele</P> Thu, 29 Dec 2016 10:35:30 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vpn-with-azure-falling-down/m-p/134960#M12 DKanta 2016-12-29T10:35:30Z