Hmm, that would give the customer away 😉

The rule was literally 

SRC:  My cluster object
DST:  Azure object
Service:  IKE (UDP/500)
Action:  Accept

The tunnel came straight back up then.  For 3 years prior, that rule hasn't been needed.  So I'm assuming at this point that the "accept outgoing traffic from gateway" tick box is no longer doing what it says on the tin in R81.10?

Thats fair : ). I have a feeling this could be a bug if you never needed that sort of rule before. Personally, I cannot recall anyone having to do so going back to even before R54.

Just to be 100% sure, you are referring to the option I circled in the attached screenshot, correct?

In you screenshot, this option is set to "Before Last".
Have you changed that from default?
@biskit : Do you also have "Before Last" there?

If I remember correctly, default in new databases for this option is "First" for many years. Maybe this is the problem why R&D did not found this problem in yet?

@Tobias_Moritz ...I am pretty sure by default it has always been "before last", even in older releases. I had a quick look for R77.30 and it also shows "before last". Also checked production R80.;40 and R81 and it shows the same.

Yes - that's the right tick box.  Mine is also set to "before last", which technically should still allow IKE out before hitting the cleanup rule.  Maybe there's something TAC can do to troubleshoot why it isn't working.  They did reply saying "there is no bug with VPN" so I replied back agreeing, and saying the problem is the tick box not doing what it did prior to the upgrade.  I'll see where the SR takes me...  Maybe some language barriers to overcome first 😂

Well, no language barrier there lol. Before last option does exactly what it says...which literally means that whatever is listed as you said, it would be accepted before clean up rule. Anyway, keep us posted, this is quite interesting. 

Do you see hits on this manually created IKE rule ? 

Do you have implied rules logging ?

Yes, I see hits on the new IKE rule.

I didn't have implied rule logging on. 

As this is a production environment I'll struggle to go back and test stuff now without a maintenance window.  I've got a case with TAC though (who still think I'm reporting a VPN problem rather than the global properties tick box problem) so I'll see where that leads me...

Yep - policy was installed.  

The gateway had "Initial Policy" after the upgrade, so it needed a policy install...

I'm on the same version - R81.10 Take 335, which I downloaded straight from CPUSE in the WebUI yesterday.

I have no such issues on R81.10 myself. IKE traffic is hitting rule 0 / implied rule as per usual. Implied_rules.def lives on the management server. Did you do an in-place upgrade of the management server? Or did you go with an advanced upgrade?

Would be interesting to see your $FWDIR/lib/implied_rules.def file. There have been changes to the implied_rules.def in newer versions. Might the upgrade somehow have kept the old version instead of going with the newer one? This tends to be a possible issue when installing Jumbo Hotfixes that makes changes to implied_rules.def. If the JHF installation notices that you are not running a default implied_rules.def it will create a copy like implied_rules_HFA_R81_JUMBO_HF_take34.def and not overwrite the one you have which might cause issues.

Have you verified global properties on the R81.10 management to make sure "Accept Remote Access control connections" are still activated after the upgrade?