Forum Discussion
IKEv2 and Windows 10/11 drops connectivity but stays connected in Windows
I’ve seen this with 2 different customers using IKEv2 User VPNs (virtual wan) and Point to Site gateways in hub and spoke whereby using the VPN in a Always On configuration (device and user tunnel) that after a specific amount of time (56 minutes) the IKEv2 connection will drop the tunnel but stay connected in Windows. To restore the connection, you just reconnect.
has anyone else had a similar experience? I’ve seen the issue with ExpressRoute and with/without Azure firewalls in the topology too.
1 Reply
Believed it may related to:
- IKEv2 SA Lifetime: By default, IKEv2 sessions have a rekey interval (commonly 3,600 seconds = 60 minutes). In Azure, the effective lifetime is slightly shorter (≈ 56 minutes).
- Windows Client Behavior: Windows 10/11 sometimes fails to properly renegotiate the SA when the lifetime expires. The tunnel remains “connected” in the UI, but traffic is dropped.
- Always On VPN: Device and user tunnels configured for Always On exacerbate the issue because the client doesn’t automatically tear down and rebuild the tunnel when rekey fails.
- Topology Independence: This occurs whether or not ExpressRoute or Azure Firewall is in the path, suggesting the root cause is client-side handling of IKEv2 rekey.
