Community discussions

MikroTik App
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

How to clean out Unreplied IPSEC connections

Mon Dec 11, 2006 12:14 pm

Greeting to all,

I am facing IPSEC tunnel connections that some times showup as UNREPLIED in the connection list and sit there unreplied until the connection is manually deleted. I tried several tracking settings hoping that Unreplied connections would just timeout, but I failed.

The timeout counter ( as seen on winbox ) decrements from 59 seconds down to 48-49 and is reset again to 59 again, keeping the connection live for ever, thus preventing a viable re-connection on the VPN tunnel to occur.

I hope I was clear enough.
Kindest regards.
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

Silly question ?

Tue Dec 12, 2006 1:03 pm

:oops: :oops:
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Tue Dec 12, 2006 7:52 pm

is this the problem of 'ip ipsec installed-sa flush' ?

Sam
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

probably related

Tue Dec 12, 2006 8:10 pm

Hi Sam,

I think they are related. To solve the problem I have already covered one step with a 1 line script that flushes the SAs if the remote network doesn't respond. But it wasn't enough, as I have noticed that from time to time the IPSEC connection is Unanswered from some reason, until it is deleted, it sits there forever preventing a good connection to occur. I tought may be ajusting the timeouts would purge connection that have a U status after say 10 seconds.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Wed Dec 13, 2006 12:35 am

I fought with ipsec for months and finally gave up on it. I don't know if its a bug in RouterOS or just the way it works ... too shifty for me : ) Always having to reboot / flush / disable-enable...

Sam
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Wed Dec 13, 2006 9:33 am

I am running lots of IPsec tunnels between RouterOS machines now for a loooong time, and rarely every have a problem with them. I think I only once needed to "do the flush" ;-) on a single tunnel.
The only other thing that got me some weeks ago was upgrading from 2.7.x to 2.9.34 - the IPsec config got so crewed up only a "system reset" would help...

Best regards,
Christian Meis
 
User avatar
fatonk
Member
Member
Posts: 438
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Wed Dec 13, 2006 10:24 am

With tunnels that you have problems, you can configure in MANUAL not in IKE mode, with manual you can avoid some dropping since the phase 1 will not negotiate but it is statically configured. I used to have a problem with some Multitech VPN Routers RF550 in IKE mode, but with MANUAL the problem was not occurring, so I hope this can help you.

Regards.

Faton
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

Last try of IPSEC

Wed Dec 13, 2006 7:13 pm

Thank you guys for the feed-back. Although I am in the same mood as Sam, since I am facing the same trouble for 3 months, I want to give a last chance to IPSEC, at least on MT.

Fatonk, I am not sure where I can change the setting from IKE to manual. I've been searching (in winbox ) all the menus, without any clues on where to change from IKE to manual. Do you mean manual SAs ?

Cmit do you use manual SAs ?

Thanks again
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Wed Dec 13, 2006 7:36 pm

No manual SAs here, sorry. Everythink running IKE established SAs, and no problems. Perhaps you could post your IPsec configs for us to check?

Best regards,
Christian Meis
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

Thu Dec 14, 2006 11:40 am

Good day,

I tried manual SAs for one night and found the infamous Unreplied connection in the connection list display the next day. Deleting it manually led to a correct reconnection. Thus my thread title:

Is there a way to time-out UNREPLIED connections ? I tried all kind of settings in the tracking setting but did not find my way. Deleting Unreplied connections after a time-out could help in other occasion and also would maintain a cleaner system.

I'll post my IPSEC setting as soon as I can.

Thanks.
 
User avatar
fatonk
Member
Member
Posts: 438
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Fri Dec 15, 2006 1:50 pm

yes that's right I meant for manual SAs.

sorry that didn't work, post your IPsec configuration, and maybe will find something there, I have lot of IKE IPsec between Mikrotik and also between Mikrotik and Cisco and have no problem like yours.

Regards
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

fixed ?

Mon Dec 18, 2006 1:24 pm

Hello,

I haven't had neither a disconnection of the tunnel nor a Unreplied one since 3 days, still on manual mode. May the problem be fixed ? I'll let you know.

Thank you all for your help.
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

Generic timeout set to 10 sec seems to solve the issue

Tue Jan 02, 2007 11:17 am

Just to let you know where my experiments lead me:

The IPSEC tunnels seem to be stable or at least to reconnect themselves since the Generic TimeOut sas set to 10 secondes instead of the default value ( 10 minutes ?) in the connection tracking. This setting seems to delete Unreplied connections after 10 seconds and thus allow new ones to occur.
I am not sure that this is the optimal solution , but it works.

Regards.
 
ipdruide
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 07, 2006 2:07 pm
Location: Paris France

ultimate solution

Mon Jan 08, 2007 3:11 pm

Sorry to post this twice. I had mistakenly posted it as a new thread...


Here is where it belongs.

Just in case some others may be facing the same issue. From experiment to experiment I ended in using a 2 lines script that does it all:

Netwatch will run this script in the event of a tunnel failure :

/ip ipsec installed-sa flush
/ip firewall connection remove [find protocol 50]

it seems to be working too, witout the need to temper with tracking defaults.

Hope this helps a few.
 
plucchetti
newbie
Posts: 33
Joined: Sat Jun 18, 2005 6:57 pm

Re: How to clean out Unreplied IPSEC connections

Mon May 12, 2008 9:34 pm

This solution works fine without NAT because in NAT schema netwatch can't ping with source address, right?


Pablo
 
wifi442
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Tue Jan 12, 2010 11:01 pm

Re: How to clean out Unreplied IPSEC connections

Tue Apr 17, 2012 12:32 am

Sorry for the thread revival. Today I had to reboot my core router (bad UPS, moved to another one). Once the router came back up I was having trouble with customers that use IPSEC. Everything else was perfect.

I had 4 separate customers who had tunnels that would not connect, pulled my hair out all day. After digging everywhere I found unreplied connections in tracker and terminated them and the tunnels all came back up. Anyone know what happened?

I don't have anything to do with the tunnels, they just traverse over my network (tunnels start on LAN side of cust CPE and traverse out to the internet).

I am running 5.11 on the core router in question (RB1100x2)

Any help would be appreciated!
 
wifi442
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Tue Jan 12, 2010 11:01 pm

Re: How to clean out Unreplied IPSEC connections

Wed Apr 18, 2012 4:57 pm

No one has had this happen? I now have a fear that if for some reason my core router needs to be rebooted, I have to torch all ipsec connections that customers have to verify they all came back up. If they haven't, off to connection tracking to try to manually kill the "U" Unreplied connections

Who is online

Users browsing this forum: ccaglayan, dragoncartoon, Usbuild and 29 guests