I'm using two VyOS instances both having an Active-Active configuration to AZURE.
I run 4 AZURE Active-Active VPN gateways and 3 out of 4 perform as expected.
Once a day one of the connections hand and the BGP session running over that VTI is dead afterwards.
After calling `reset vpn ipsec-peer x.x.x.x` on ** BOTH** active-active peers the link returns. It does not return if the command is issued only on one peer.
Both VyOS machines run the configuration below, it was retrived initially from the Azure "Config Generator" for an EdgeOS device but adopted to VyOS. Funny thing is - the generated configs in terms of concept differs much from the generated Cisco IOS config (there we have two IPSec peers as required per active-active whereas the EdgeOS config only listed one).```
set interfaces vti vti21 description 'Azure - Active-Active'
set interfaces vti vti22 description 'Azure - Active-Active'
set interfaces vti vti31 description 'Azure - Active-Active'
set interfaces vti vti32 description 'Azure - Active-Active'
set interfaces vti vti41 description 'Azure - Active-Active'
set interfaces vti vti42 description 'Azure - Active-Active'
set interfaces vti vti51 description 'Azure - Active-Active'
set interfaces vti vti52 description 'Azure - Active-Active'
set vpn ipsec esp-group ESP-AZURE compression 'disable'
set vpn ipsec esp-group ESP-AZURE lifetime '27000'
set vpn ipsec esp-group ESP-AZURE mode 'tunnel'
set vpn ipsec esp-group ESP-AZURE pfs 'disable'
set vpn ipsec esp-group ESP-AZURE proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-AZURE proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-AZURE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-AZURE dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-AZURE dead-peer-detection timeout '2'
set vpn ipsec ike-group IKE-AZURE ikev2-reauth 'no'
set vpn ipsec ike-group IKE-AZURE key-exchange 'ikev2'
set vpn ipsec ike-group IKE-AZURE lifetime '27000'
set vpn ipsec ike-group IKE-AZURE proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-AZURE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-AZURE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti51'
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.2.2 vti bind 'vti52'
set vpn ipsec site-to-site peer 192.0.2.2 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.3.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.3.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.3.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.3.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.3.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.3.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.3.1 vti bind 'vti32'
set vpn ipsec site-to-site peer 192.0.3.1 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.3.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.3.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.3.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.3.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.3.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.3.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.3.2 vti bind 'vti31'
set vpn ipsec site-to-site peer 192.0.3.2 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.4.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.4.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.4.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.4.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.4.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.4.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.4.1 vti bind 'vti42'
set vpn ipsec site-to-site peer 192.0.4.1 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.4.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.4.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.4.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.4.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.4.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.4.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.4.2 vti bind 'vti41'
set vpn ipsec site-to-site peer 192.0.4.2 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.5.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.5.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.5.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.5.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.5.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.5.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.5.1 vti bind 'vti22'
set vpn ipsec site-to-site peer 192.0.5.1 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer 192.0.5.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.5.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.5.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.5.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.5.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.5.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.5.2 vti bind 'vti21'
set vpn ipsec site-to-site peer 192.0.5.2 vti esp-group 'ESP-AZURE'
```