![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 3%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
237 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
- Azure VPN gateways have a fixed, non-configurable IKE Phase 1 lifetime. This value is typically 28,800 seconds (8 hours). For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#:~:text=IKE%20Main%20Mode%20SA%20lifetime%20is%20fixed%20at%2028%2C800%20seconds%20on%20the%20Azure%20VPN%20gateways.
- Unlike the Phase 2 SA lifetime, you cannot modify the IKE Phase 1 SA lifetime in Azure using the portal, CLI, or PowerShell. This is a deliberate design choice to maintain interoperability and stability.
- Phase 1 is primarily for establishing a secure channel for subsequent Phase 2 negotiations. It's designed for longer durations and less frequent renegotiation.
- Phase 2 is where the actual data encryption parameters are negotiated. These SAs are typically more dynamic and have shorter lifetimes.
- The standard Azure diagnostic logs you linked might not expose these specific IKE SA lifetimes directly, especially for Phase 1.
- You can use a packet capture on your on-premises VPN gateway and use a tool like Wireshark to filter and analyze the IKEv1 traffic, within the IKEv1 packets, examine the SA payloads.
- You should be able to see the proposed and accepted lifetime values and it requires access to capture traffic on the on-premises device.
- Otherwise NSG Flow Logs version 2 provide more detailed information about network traffic flowing through Network Security Groups.
- While they might not explicitly show the IKE SA lifetime, they could indirectly help you infer when a new Phase 1 negotiation occurs based on the traffic patterns and flow timestamps.
Kindly let us know if the above helps or you need further assistance on this issue.
Thanks,
Sai.