Azure Route-Based VPN with Palo Alto Firewall – Dropping Connection

I have recently been working with a customer who were trying to set up a Site-to-Site VPN connection to Azure using their on-premises Palo Alto firewall device. Their firewall was a supported model running the required PAN-OS version (v7.0.5+). They configured the device as per the documentation linked to from the Azure Support website – https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-Environment/ta-p/60340 however, after around an hour they were seeing the connection drop for approximately 2-3 minutes before coming back up and working again for another hour. This happened continuously despite being configured exactly as described in the support documentation.

I raised a support ticket with Microsoft and after some initial data gathering was told that this is a known issue with Palo Alto firewalls and that an alternative configuration, which has been implemented successfully by some of their other customers, and is now recommended (although not yet published on the Palo Alto support site).

>>> Configuration Details <<<

 

Phase 1:

 

Encryption: aes-256-cbc, 3des

Authentication: sha1, sha256

DH Group: group2

Lifetime: 11000 seconds

IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)

 

Phase 2:

 

Encryption: aes256-cbc

Authentication: sha1

DH Group: no-pfs

Lifetime: 7600 seconds

 

Gateway:

 

Passive Mode: Enabled

NAT Traversal: Enabled (not necessary)

 

This configuration has proven to be very stable, and the connection drops we were seeing disappeared. If you are experiencing the symptoms described above, and running a Palo Alto firewall, you may want to give it a try.

Enterprise Mobility Workshops - 24th November 2015 - London | 9:00am – 3:00pm

One thought on “Azure Route-Based VPN with Palo Alto Firewall – Dropping Connection

Leave a Reply

Your email address will not be published. Required fields are marked *