24hr internet disconnect caused by Azure S2S IPsec connection

I have a bit of a weird behavior of my S2S connection from my Sophos XG Home Firewall to the Azure Cloud. My internet connection drops every 24hrs to the minute for around 1 minute until it gets reconnected. So does the S2S IPsec connection.
I have already seen in the KB article that the reconnects are "normal" for the Azure S2S connection. Should this internet drop also be normal?
Note from the KB article:
Azure must re-key the IKE_SA by deleting the expired IKE_SA and creates a new connection, which leads to some seconds of down time.
Also after the reconnect the automatic reconnection to two peered subnets does not work anymore.
Any suggestions how I can change this behavior?
Best regards!
  • After 2 months without any reply I hope a bump is ok :).


    The behavior still exists as stated above. The only possible solution to end the internet disconnects is disabling the VPN in general and only activate it on demand when I'm connecting to my azure lab. This is ok for my home network but definatly not an option for customers. Also it is interesting that the subnets are not reconnecting after the automatic disconnect.

  • In reply to Akilae:

    I have the same Issue, Azure tunnel goes up and down all the time also my subnets are not reconnecting after the automatic disconnect.

  • In reply to Xavier Rosa:


    this is primarily a user to user forum and just because you post an issue in here does not mean you will get an answer.

    If you have an issue you need to create a support case.



  • In reply to rfcat_vk:



    Creating a support case doesn't work with the home license.


    Regarding my issue their seems to be a development on the sophos side.

    Issues Resolved in SF 17.5 MR6


    • NC-38688 [IPsec] Sporadic connection interruption to local XG after IPsec rekeying


    This sounds pretty much like my problem. I've already upgraded to MR6 and will have a look if the behavior changed.

  • In reply to Akilae:

    Unluckily not resolved. Will test again in V18 EAP

  • In reply to Akilae:

    In our tunnels to Azure VPN gateway I have found a few things that help.

    1. On the XG, try to keep the number of Remote Subnets (Azure side) to a minimum, only one such as the entire VNet if possible.  We had one tunnel where individual subnets (had six in the list) were used and the stability of the tunnel took a dive.
    2. Clone the built-in Azure IPsec policy.  Disable the rekey of the connection, so it only will rekey when Azure VPN gateway decides to.

    Those two things have helped us a ton!



  • In reply to NateP:

    Thank you for the tip with the re-key deactivation. I thought I did that but it seems that somehow I ticked that checkbox on my cloned policy. Will test it again and check if it changed in behavior. Still, a internet reconnect must not happen if an IPSec tunnel changes state.