Share via

Azure VPN Gateway S2S Tunnel (Azure <-> AWS) - IKE Phase 1 SA Expiry / Rekey Failure (ErrorCode 13885)

Andrew Bates 45 Reputation points
2026-04-11T00:40:54.9833333+00:00

We are experiencing periodic S2S VPN tunnel drops between our Azure VPN Gateway and a remote AWS-hosted endpoint. The tunnel shows as Connected in the Azure portal, but traffic stops flowing at regular intervals. No changes have been made on the Azure side.

Here's an overview of our environment:

  • Gateway: VpnGw-External, Route-based, IKEv2
  • Azure Gateway Public IP: 40.x.x.x
  • Remote Peer IP: 184.x.x.x (AWS Customer Gateway)
  • IPsec policy: AES256 / SHA256 / DHGroup2 / PFS2 / Phase 2 lifetime 3600s

Error from Azure Log Analytics (IKE Diagnostic Log):
(Error)[Remote] 184.x.x.x:4500 [Local] 40.x.x.x:4500 [SESSION_ID] {ae0c8227-8a13-4748-bc1b-4d4bee0e92fe} [ConnType] IKEv2-S2S [TunnelId] 1 [TSId] 684 [IkeEvent] SA_DELETE [SA_type] QM_SA [FailureDirection] Outbound [SAEstablished] true [ErrorCode] 13885 [ErrorMessage] Main mode SA lifetime expired or peer sent a main mode delete.

AWS-side IKE log (provided by remote peer) around the same event:

15:54:19 UTC — "AWS tunnel IKE service is starting up"

ike_phase1_state: down, ike_phase2_state: down

15:56:54 UTC — CGW initiates IKE_SA_INIT

Selected Phase 1: AES256 / SHA2-256 / DHGroup2

Selected Phase 2: AES256 / SHA2-256 / PFS: None

Phase 1 and Phase 2 re-established successfully

The Azure log confirms ErrorCode 13885. Phase 1 (Main Mode) SA lifetime expired and the Phase 2 SA was torn down as a result. SAEstablished: true confirms this is a rekey failure on an active tunnel and not an initial negotiation failure.

Per Microsoft documentation, the IKE Phase 1 lifetime is fixed at 28,800 seconds on Azure VPN Gateways and is not configurable (Please confirm).

The AWS logs show the IKE service restarted during the drop window. It is unclear from the available logs whether the SA_DELETE was initiated by the Azure gateway or by the remote peer.

Questions:

  1. Can Microsoft confirm from gateway-side telemetry whether the SA_DELETE (ErrorCode 13885) was initiated by the Azure gateway or by the remote peer?
  2. Is DHGroup2 fully supported for IKEv2 Phase 1 rekeys on the current VPN Gateway platform, or are there known stability issues that would recommend upgrading to DHGroup14?
  3. Were there any Azure platform updates applied to VpnGw-External on or around 2026-04-10 that could have affected IKE rekey behavior?
  4. What is the recommended remote peer configuration to ensure seamless in-place rekeys against an Azure VPN Gateway fixed at 28,800s Phase 1 lifetime?

I can provide additional configuration details as needed.

Thanks,

Andrew Bates

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

Answer accepted by question author

  1. Vallepu Venkateswarlu 9,165 Reputation points Microsoft External Staff Moderator
    2026-04-11T01:10:16.3966667+00:00

    Hi @ Andrew Bates ,

    Welcome to Microsoft Q&A Platform

    As per Microsoft documentation ( Default IPsec/IKE parameters ), the IKE Phase 1 (Main Mode) SA lifetime on Azure VPN Gateway is fixed at 28,800 seconds and cannot be modified for both route-based and policy-based gateways.

    The error 13885 (SA_DELETE) indicates that the Phase 1 SA expired or was deleted by the peer, which forces teardown of the Phase 2 SA and results in traffic interruption.

    From the provided logs:

    • Azure reports: “Main mode SA lifetime expired or peer sent a delete”
    • AWS logs show: “IKE service restarting”

    This strongly indicates the remote peer (AWS) initiated the delete during rekey or service restart, not Azure.

    User's image

    Please configure your on-premises VPN devices according to the Microsoft-documented IKE/IPsec parameters mentioned above.

    Can Microsoft confirm from gateway-side telemetry whether the SA_DELETE (ErrorCode 13885) was initiated by the Azure gateway or by the remote peer?

    The SA_DELETE is most likely initiated by the remote peer (AWS side) due to IKE process restart or rekey handling behavior.

    Is DHGroup2 fully supported for IKEv2 Phase 1 rekeys on the current VPN Gateway platform, or are there known stability issues that would recommend upgrading to DHGroup14?

    Yes, DHGroup2 is supported, ref these docs for more details

    User's image

    Were there any Azure platform updates applied to VpnGw-External on or around 2026-04-10 that could have affected IKE rekey behavior?

    There is no publicly documented change specific to:

    • IKE rekey behavior
    • DH group handling
    • SA lifetime enforcement

    You must ensure AWS rekeys BEFORE expiry, not at expiry.

    What is the recommended remote peer configuration to ensure seamless in-place rekeys against an Azure VPN Gateway fixed at 28,800s Phase 1 lifetime?

    IKE Phase 1 (Main Mode) SA lifetime is fixed at 28,800 seconds on Azure VPN Gateway and is not configurable.

    To avoid tunnel drops:

    Configure AWS to initiate rekey BEFORE expiry

    • Phase 1 lifetime: 28,800s (match Azure)
    • Rekey margin: ~10–15% earlier

    Ensure:

    • PFS settings match (you currently have mismatch: Azure = PFS2, AWS = None )
    • Phase 2 lifetime alignment (3600s is OK)

    This applies to: Route-based gateways & Policy-based gateways

    Follow the Configure custom IPsec/IKE connection policies for S2S VPN and VNet-to-VNet*

    How to connect AWS and Azure using a BGP-enabled VPN gateway

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.