Our customer’s Cisco ASA firewall is terminating the IPSec site-to-site VPN with Microsoft Azure.
As we have detected too much delay over this VPN session we started debugging the connection, and found the following problem:
In the established VPN session if there is no bidirectional traffic for a couple minutes (3-5 minutes), the ASA receives IKE delete messages from the Azure (168.63.9.58, 168.63.106.127, 168.63.37.2) for specified IPSec SAs (specified SPIs). The IPSec SA lifetime is set to 3600 seconds, which differs from the normal operation of the VPN.
The VPN session was not interrupted, the ISAKMP SA-s were still working, only specified SAs had been deleted because there were no traffic to match the corresponding crypto ACL entries.
We tried to keep the VPN session alive with ICMP messages, it ceased the frequent deletion of SAs, but there are still detectable slow-downs in the operation.
Since a near real-time application using this VPN connection, it is unacceptable for the VPN connection to add more than 2 seconds delay to the communication. The rebuild of this VPN connection takes much longer than that.
VPN is terminated by Cisco ASA 8.2.5.