I have recently been working with a customer who were trying to set up a Site-to-Site VPN connection to Azure using their on-premises Palo Alto firewall device. Their firewall was a supported model running the required PAN-OS version (v7.0.5+). They configured the device as per the documentation linked to from the Azure Support website – https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-Environment/ta-p/60340 however, after around an hour they were seeing the connection drop for approximately 2-3 minutes before coming back up and working again for another hour. This happened continuously despite being configured exactly as described in the support documentation.
I raised a support ticket with Microsoft and after some initial data gathering was told that this is a known issue with Palo Alto firewalls and that an alternative configuration, which has been implemented successfully by some of their other customers, and is now recommended (although not yet published on the Palo Alto support site).
>>> Configuration Details <<<
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)
DH Group: no-pfs
Lifetime: 7600 seconds
Passive Mode: Enabled
NAT Traversal: Enabled (not necessary)
This configuration has proven to be very stable, and the connection drops we were seeing disappeared. If you are experiencing the symptoms described above, and running a Palo Alto firewall, you may want to give it a try.