HybridCloud.social

Share This Post

Azure / Technology

Azure Route-Based VPN with Palo Alto Firewall – Dropping Connection

Originally posted by Jay Avent

I have recently been working with a customer who were trying to set up a Site-to-Site VPN connection to Azure using their on-premises Palo Alto firewall device. Their firewall was a supported model running the required PAN-OS version (v7.0.5+). They configured the device as per the documentation linked to from the Azure Support website – https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-Environment/ta-p/60340 however, after around an hour they were seeing the connection drop for approximately 2-3 minutes before coming back up and working again for another hour. This happened continuously despite being configured exactly as described in the support documentation.

I raised a support ticket with Microsoft and after some initial data gathering was told that this is a known issue with Palo Alto firewalls and that an alternative configuration, which has been implemented successfully by some of their other customers, and is now recommended (although not yet published on the Palo Alto support site).

>>> Configuration Details <<<

 

Phase 1:

Encryption: aes-256-cbc, 3des

Authentication: sha1, sha256

DH Group: group2

Lifetime: 11000 seconds

IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)

 

Phase 2

Encryption: aes256-cbc

Authentication: sha1

DH Group: no-pfs

Lifetime: 7600 seconds

 

Gateway:

Passive Mode: Enabled

NAT Traversal: Enabled (not necessary)

 

This configuration has proven to be very stable, and the connection drops we were seeing disappeared. If you are experiencing the symptoms described above, and running a Palo Alto firewall, you may want to give it a try.

Share This Post

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Lost Password

Register