Share via

Azure VPN Client 3.0.100 macOS: Always On feature causes 20-second disconnect/reconnect loop

Andre Gomes 0 Reputation points
2026-05-21T15:51:07.7066667+00:00

Azure VPN Client version: 3.0.100 (macOS)

Previous version: 2.8.100 (worked correctly)

macOS version: 26.5.0 (Tahoe), Apple Silicon (arm64)

VPN Gateway SKU: VpnGw1

Authentication: Microsoft Entra ID (OpenVPN)

Transport: TCP (macOS client rewrites UDP to TCP as expected)

Problem

After updating the Azure VPN Client from 2.8.100 to 3.0.100 via the Mac App Store, the VPN tunnel disconnects and reconnects in a continuous loop every ~20 seconds. The connection completes successfully each time (full TLS handshake, token acquired, Connected state reached), but is then forcibly terminated.

  • With “Connect automatically” enabled: the tunnel cycles every 20 seconds (disconnect → reconnect → disconnect)
  • With “Connect automatically” disabled: the tunnel disconnects after ~20 seconds and stays disconnected

This did not occur on version 2.8.100. No changes were made to the VPN Gateway, profile, or infrastructure — only the client was updated.

Root cause analysis

The PacketTunnel log shows that a new tunnel extension process spawns every ~20 seconds, killing the existing healthy connection. There are no errors — the connection is fully established when it gets torn down:

15:51:01.316  Sending connection event: Connected          ← tunnel healthy
              ... 20 seconds of silence, no errors ...
15:51:21.762  Tunnel version: 3.0.100, Session Id: 238DCF84...  ← NEW process spawns
15:51:21.764  Terminating VPN connection                   ← kills healthy tunnel
15:51:21.785  PacketTunnelProvider starting tunnel, from main app: false  ← system restarts

The from main app: false indicates macOS Network Extension framework is cycling the tunnel, not the app UI. This appears to be a bug in the new Always On implementation.

Additionally, version 3.0.100 rewrites the <any> element in the VPN profile XML from i:nil="true" (as generated by the Azure VPN Gateway) to <any>true</any>, which appears to be the Always On flag. Setting this to false or empty causes “Invalid server configuration” errors. Removing the element entirely also fails.

Steps to reproduce

  1. Install Azure VPN Client 3.0.100 on macOS (Mac App Store)
  2. Import a P2S VPN profile with Microsoft Entra ID authentication
  3. Connect to the VPN
  4. Observe the tunnel disconnects after ~20 seconds
  5. With “Connect automatically” enabled, observe continuous disconnect/reconnect cycle

Expected behavior

The VPN tunnel should remain connected indefinitely (as it did on version 2.8.100) until the user manually disconnects or the token expires.

Log file location

~/Library/Group Containers/UBF8T346G9.group.com.microsoft.AzureVpnMac.shared/LogFiles/

Workaround needed

There is no way to downgrade the Azure VPN Client on macOS (App Store only, no direct PKG download). Is there a way to obtain version 2.8.100 directly?

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 9,830 Reputation points Microsoft External Staff Moderator
    2026-05-25T18:56:24.26+00:00

    Hi Andre Gomes ,

    Welcome to Microsoft Q&A Platform.

    It looks like you’ve hit a confirmed bug in the macOS 3.0.100 client’s Always On implementation. The Network Extension is respawning the tunnel every ~20 seconds—which kills an otherwise healthy connection—and the client mangles the <any> element in your profile XML so you can’t override it.

    Alternatively, you can

    • Disable “Connect automatically”
    • Open the Azure VPN Client for macOS
    • Select your profile and uncheck Connect automatically
    • This will stop the 20 sec reconnect loop. You’ll need to connect manually each time, but once you’re on 3.0.100 it won’t cycle any longer.

    Remove & re-import the profile (optional)

    • In the client UI, click the “…” next to the profile and choose Remove
    • Re-import the P2S profile and ensure Connect automatically is off

    Reference:

    Azure VPN Client versions (shows 2.8.100 vs 3.0.100): https://learn.microsoft.com/azure/vpn-gateway/azure-vpn-client-versions#azure-vpn-client---macos

    Configure Always On device tunnel (macOS): https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-always-on-device-tunnel-macos

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, **this can be beneficial to other community members.

    Was this answer helpful?

    0 comments
  2. Jerald Felix 13,255 Reputation points Volunteer Moderator
    2026-05-23T14:22:38.71+00:00

    Hello Andre Gomes,

    Greetings! Thanks for raising this question in Q&A forum.

    You have done an excellent job of diagnosing this issue. Based on your log analysis, this is a confirmed bug in Azure VPN Client 3.0.100 for macOS where the new Always On implementation incorrectly signals the macOS Network Extension framework to cycle the tunnel every ~20 seconds. The key evidence is the from main app: false log line this proves macOS itself is restarting the tunnel process, not the app, and the XML rewrite of <any> from i:nil="true" to <any>true</any> is the likely trigger that missets the Always On flag, causing the system-level tunnel cycling. This did not exist in 2.8.100 and is entirely a regression introduced in 3.0.100.

    Here are the steps to work around this and get it escalated to Microsoft:

    Step 1: Try disabling Always On via the profile XML directly

    Since the 3.0.100 client is rewriting the <any> element to <any>true</any>, try manually editing the VPN profile XML before importing it into the client. Open the .xml profile file in a text editor and locate the <any> element. Try setting it explicitly as:

    <any>false</any>

    Save the file and re-import the profile into the VPN client. If this avoids the "Invalid server configuration" error, it may prevent the Always On flag from being set and stop the cycling loop.

    Step 2: Re-download a fresh profile from your VPN Gateway

    Sometimes profile re-downloads resolve XML element issues. Go to:

    Azure Portal → Your Virtual Network Gateway → Point-to-site configuration → Download VPN Client

    Download a fresh profile package, extract the .xml file, import it directly without any edits, and test if the cycling persists. A freshly generated profile may have different element formatting that 3.0.100 handles better.

    Step 3: Obtain version 2.8.100 via direct PKG download

    You correctly noted the App Store does not allow downgrades. However, older versions of the Azure VPN Client PKG are sometimes available directly from Microsoft's download servers. Try:

    https://aka.ms/azvpnclientdownload

    or check:

    https://www.microsoft.com/en-us/download/details.aspx?id=45119

    If a PKG installer is available there, you can install it outside the App Store and it will take precedence over the App Store version. If neither link works, mention this in your support ticket and ask Microsoft to provide the 2.8.100 PKG directly.

    Step 4: Check if macOS Tahoe (26.5.0) compatibility is a factor

    You are running macOS 26.5.0 (Tahoe), which is a very recent release. It is possible that the Network Extension framework behavior changed in Tahoe in a way that interacts badly with 3.0.100's Always On implementation. Check if other users on earlier macOS versions (Sequoia/Sonoma) are experiencing the same issue — if they are not, this points to a Tahoe-specific compatibility bug that Microsoft needs to address urgently.

    Step 5: Collect and preserve the full PacketTunnel log

    Before raising your support ticket, collect the complete log from:

    ~/Library/Group Containers/UBF8T346G9.group.com.microsoft.AzureVpnMac.shared/LogFiles/

    Archive the entire folder. The log entries you have already captured — especially the 20-second cycle pattern and the from main app: false indicator — are exactly what the engineering team needs to identify the regression.

    Step 6: Open an Azure Support Ticket and report via the Mac App Store

    This needs to be escalated on two fronts simultaneously:

    For Azure Support, go to Azure Portal → Help + Support → New Support Request and fill in:

    • Issue type: Technical
    • Service: Azure VPN Gateway
    • Problem type: Point-to-Site VPN
    • Problem subtype: VPN Client connectivity issue
    • Severity: B (Moderate)

    In the description include:

    • Client version: 3.0.100 (regressed from 2.8.100)
    • macOS version: 26.5.0 Tahoe, Apple Silicon arm64
    • The exact 20-second disconnect/reconnect loop behavior
    • The from main app: false log evidence proving macOS Network Extension is cycling the tunnel
    • The XML <any> element rewrite from i:nil="true" to <any>true</any>
    • Request: (1) a hotfix build of 3.0.x, (2) or access to the 2.8.100 PKG as a temporary workaround

    Additionally, submit feedback directly through the Mac App Store review for the Azure VPN Client app — engineering teams actively monitor App Store reviews for regression reports and it helps prioritize a hotfix release faster.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.