Dear Team,
I am facing intermittent 'Ping Request Timeout' issues within an IPsec VPN connection with Azure. The tunnel is connected. Currently, we are monitoring the VPN tunnel using ICMP ping from our on-premise Zabbix server to Azure VMs.
Initially, I attempted the following method: I set the Encryption setting to 'Default Encryption (Most Compatible)' on the Checkpoint Appliance 1880 SMB (on-premise), and on the Azure side, I also used the 'Default (IPsec/IKE) policy'. This resulted in a successful 'Tunnel is connected' status.
The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.
Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.
Initially, I observed that I could access Azure resources using ping, RDP, and SSH from the on-premise network. However, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.
As a next step, I decided to change the Default Encryption setting to a custom encryption value for both Phase 1 and Phase 2. I configured Phase 1 with AES-256, SHA-256, and DH2, and Phase 2 with AES-256, SHA-256, and PFS2 on both the Checkpoint appliance and the Azure side. This resulted in a successful 'Tunnel is connected' status.
The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.
Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.
However, the problem persisted. Initially, I could access Azure resources using ping, RDP, and SSH from the on-premise network. Nevertheless, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.
Please kindly see the attached information
Thanks to all.