IKEv2 and Windows 10/11 drops connectivity but stays connected in Windows

Believed it may related to:

• IKEv2 SA Lifetime: By default, IKEv2 sessions have a rekey interval (commonly 3,600 seconds = 60 minutes). In Azure, the effective lifetime is slightly shorter (≈ 56 minutes).
• Windows Client Behavior: Windows 10/11 sometimes fails to properly renegotiate the SA when the lifetime expires. The tunnel remains “connected” in the UI, but traffic is dropped.
• Always On VPN: Device and user tunnels configured for Always On exacerbate the issue because the client doesn’t automatically tear down and rebuild the tunnel when rekey fails.
• Topology Independence: This occurs whether or not ExpressRoute or Azure Firewall is in the path, suggesting the root cause is client-side handling of IKEv2 rekey.