Have an interesting one here. I have a UDM Pro Max connecting to Azure over IPSec site to site tunnels. I have three separate tunnels to three different resource groups (production, staging and legacy). All the tunnels are setup the same way using Azure Connections with the default IPSec policy using PSK.
Staging and Legacy seem to be rock solid. However, the production tunnel appears to keep disconnecting and reconnecting.
I see this in the UDM logs:
2025-07-01T18:54:44-04:00 UDM-Pro-Max ubios-udapi-server[1227]: signal-out-notifier: Sending to NET Signal-EVT_VPN-62: EVT_VPN_ClientDisconnected X.X.X.X (via vti64) on /vpn/ipsec/site-to-site/685fdcbd2352556b2ab7ddf4
2025-07-01T18:54:44-04:00 UDM-Pro-Max ubios-udapi-server[1227]: signal-out-notifier: Sending to NET Signal-EVT_VPN-63: EVT_VPN_ClientConnected X.X.X.X (via vti64) on /vpn/ipsec/site-to-site/685fdcbd2352556b2ab7ddf4
All three tunnels are setup exactly the same way in the UDM.
I may have found the issue. I just noticed that the IKE Lifetime was set to 3600 and not 28800. I suspect this is the issue at hand.
Thanks for sharing the details, super helpful. That shorter IKE lifetime could definitely explain the frequent reconnects on the production tunnel, especially if Azure is expecting the standard 28800. I’ve seen similar issues when lifetimes don’t match up exactly between peers. Curious to hear if adjusting it clears up the disconnects for good.
It appears to have been the issue. The tunnel has been up for over 2 hours now.
I’m curious, what are you using as the VPN endpoint in Azure?
I’m using a Virtual Network Gateway, I think the SKU is v2 (need it for certain features), and it costs $500/month. I’m looking for more cost effective options, obviously.
I know of a peer company that is all Meraki, and they are about to deploy a Meraki Virtual Firewall as the VPN endpoint, at considerably lower cost.
I am a mixture of Meraki and Palo Alto, looking into the option of a PA virtual firewall in Azure. I’m considering Ubiquity in 12-24 months in a network refresh cycle, but my connection to Azure is the main thing I need to figure out (now and the future).