Hi,

Im seeing the strange behaviour in three VPN's to Azure that IPsec only seems to works when the IKEv2 role is set at initiator;

WORKS (ie, can ping host within remote selector IP range)

Session-id:17, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3502952353 x.x.x.x/500 azure_IP/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/296 sec
Child sa: local selector 10.210.0.0/0 - 10.210.255.255/65535
remote selector 10.124.0.0/0 - 10.125.255.255/65535
ESP spi in/out: 0x588abbad/0xb9a10cb6

DOES NOT WORK

IKEv2 SAs:
Session-id:18, Status:UP-IDLE, IKE count:6, CHILD count:0

Tunnel-id Local Remote Status Role
3574310815 x.x.x.x/500 Azure_IP/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/46 sec

Tunnel-id Local Remote Status Role
3567047129 x.x.x.x/500 Azure_IP/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/106 sec

Tunnel-id Local Remote Status Role
3553543971 x.x.x.x/500 Azure_IP/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/166 sec

I just see a lot of Tunnel-ID's but thats it, when initiating traffic IPsec is not established.

IKE and IPSEC policy's are identical between the three Azure VPN peers, what could be reason for that?

IKE is established, why wont IPSEC follow - after all same policy are used.

Im on  8.4(2)

Cheers!