I have 5 Mikrotik devices and all of them should connect with IPSEC to Cisco 2811. Everything work fine but when the network connection between these devices disappear for few seconds they cannot automatically reconnect IPSEC. It seems that MIkrotik or Cisco made a new SPI but the second device try to use old SPI in communication. And I have to manually kill all SPIs on Mikrotik and then everything start to work.

I use IPSEC in transport mode (not tunnel) with IPencap tunnel above. I use policy with "require" level, in peer settings both "Send Initial Contact" and "NAT Traversal" are enabled. DPD: interval - 15, Maximum Failures - 2.

Could you please point me what I do wrong?

I have 5 Mikrotik devices and all of them should connect with IPSEC to Cisco 2811. Everything work fine but when the network connection between these devices disappear for few seconds they cannot automatically reconnect IPSEC. It seems that MIkrotik or Cisco made a new SPI but the second device try to use old SPI in communication. And I have to manually kill all SPIs on Mikrotik and then everything start to work.

I use IPSEC in transport mode (not tunnel) with IPencap tunnel above. I use policy with "require" level, in peer settings both "Send Initial Contact" and "NAT Traversal" are enabled. DPD: interval - 15, Maximum Failures - 2.

Could you please point me what I do wrong?

DPD with your config will kick in after 30sec and new SAs will be negotiated.

However if the network outage is only 10 seconds, and the Cisco on the other end has DPD set to 5sec, it will discard its SAs while MKT will still consider them valid.

One thing that could help is setting the level in IPSec policies to "unique", altho this should only matter if you have multiple policies from the same MKT to same Cisco device (cisco requires a unique SA for each IPSec "connection"), it might help in your case.

Also, NAT Traversal should be disabled if you are not actually traversing a NAT.

Without looking at the IPSec logs from the MKT side I cant help more.

You are right. It happens on small network outages only, 1-5 seconds. I have only one policy for this host so I suppose that "unique" level is unnecessary. I will post logs in few hours.

You are right. It happens on small network outages only, 1-5 seconds. I have only one policy for this host so I suppose that "unique" level is unnecessary. I will post logs in few hours.

In your case it will be neccesary. Because when a short network outage occurs, cisco will create new SAs, but mikrotik will just reuse SAs for this dst address (cisco's IP) since they are already present. (not actually whats happening, simplified version)

But remember that cisco requires unique SAs for every single IPSec connection, even with the same peer. And from cisco's point of view, a new IPSec connection is being established, since the old one was closed due to DPD. So setting level to unique should actually solve your problem.

Now it works fine. Thank you!

PhilipLykov hi,

Could you please explain how do you solve the problem?
I have the same problem when I clear crypto ipsec peer, ASA torn down the tunnel but MK keep the SPI and DPD is not working.

PhilipLykov hi,

Could you please explain how do you solve the problem?
I have the same problem when I clear crypto ipsec peer, ASA torn down the tunnel but MK keep the SPI and DPD is not working.

Sorry, but it still doesn't work fine.
Mikrotik has too much bugs and very bad support.