To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

What's new in 6.38.1 (2017-Jan-13 05:51):

*) bridge - disallow manual removal of dynamic bridge ports;
*) bridge - fixed MAC address learning from switch master-port;
*) bridge - fixed access loss to device through bridge if master port had a loop (introduced in v6.38);
*) certificate - added year cap (invalid-after date will not exceed year 2039);
*) certificate - fixed fail on import from CAPs when both key and name already exist;
*) dhcpv6-client - fixed DHCPv6 rebind on startup;
*) dhcpv6-server - fixed server removal crash if static binding was present;
*) dns - fixed typo in regexp error message;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116356);
*) fan - improved RPM monitor on CCR1009;
*) firewall - nat action "netmap" now requires to-addresses to be specified;
*) health - report fan speed for RB800 and RB1100 when 3-pin fan is being used;
*) ike1 - fixed ph1 rekey in setups with mode-cfg;
*) ike2 - allow empty selectors to reach policy handler;
*) ike2 - auto-negotiate split nets;
*) ike2 - default to tunnel mode in setups without policy;
*) ike2 - fixed error packet from initiator on responder reply;
*) ike2 - fixed initiator TS updating;
*) ike2 - fixed ph1 initial-contact rare desync;
*) ike2 - fixed policy setting for /0 selector with different address families;
*) ike2 - fixed split policy active flag;
*) ike2 - fixed traffic selector prefix calculation;
*) ike2 - fixed xauth add check;
*) ike2 - include identity in peer address info;
*) ike2 - log empty TS payload;
*) ike2 - minor logging update;
*) ike2 - show peer identity of connected peers;
*) ike2 - traffic selector improvements;
*) ike2 - update also local port when peer changes port;
*) ike2 - use first split net for empty TS;
*) ike2 - use standard retransmission timers for DPD;
*) ike2 - xauth like auth method with user support;
*) ipsec - added ability to kill particular remote-peer;
*) ipsec - fixed flush speed and SAs on startup;
*) ipsec - fixed peer port export;
*) ipsec - port is used only for initiators;
*) ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280);
*) license - fixed demo license expiration after installation on x86;
*) log - improved firewall log messages when NAT has changed only connection ports;
*) logs - work on false CPU/RAM overclocked alarms;
*) mpls - fixed crash on active tunnel loss in MPLS TE setups;
*) ovpn - fixed address acquisition when ovpn-in interface becomes slave;
*) proxy - fixed "max-cache-object-size" export;
*) proxy - speed-up almost empty disk cache clean-up;
*) quickset - various small changes;
*) rb751u - fixed ethernet LEDs (broken since 6.38rc16);
*) ssh - fixed high memory consumption when transferring file over ssh tunnel;
*) webfig - show properly large BGP AS numbers;
*) winbox - added "make-static" to IPv6 DHCP server bindings;
*) winbox - added "prefix-pool" to DHCPv6 server binding;
*) winbox - added IPsec to radius services;
*) winbox - added upstream flag to IGMP proxy interfaces;
*) winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall†rules;
*) winbox - allow to specify "sip-timeout" under ip firewall service-ports;
*) winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN;
*) winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected;
*) winbox - show dynamic IPv6 pools properly;
*) winbox - show errors on IPv6 addresses;
*) winbox - specify metric for “/ip dns cache-used†setting;
*) wireless - show comment on "security-profile" if it is set;

I have strange excitement about version that was build on the Friday 13th and with full moon (at least where i'm from).

Just upgraded my home network CRS226, RB750Gr2 and few WAP ac, so far so good. Tomorrow will play with test network @ work.

Awesome for releasing this release so soon. Will see if I can test it out later tonight on my RB750Gr3's and will report back once its done and tested. I really hope the 6.38 bugs are squashed

I have strange excitement about version that was build on the Friday 13th and with full moon (at least where i'm from).

Just upgraded my home network CRS226, RB750Gr2 and few WAP ac, so far so good. Tomorrow will play with test network @ work.

hehehe, beware!!!

Disable and Enable not worked in winbox
Please fix this issue

Sent from my C6833 using Tapatalk

Disable/enable issue is already fix in Winbox 3.9

Latest for Mac hasn't been done yet...

http://joshaven.com/resources/tools/winbox-for-mac/

Still stuck on 3.7.. wonder if joshaven hides out here somewhere, if so, would you be so kind and give us a 3.9 version when you get a few minutes. Thank you.

**Update**

I have just dropped joshaven a quick email to see if he can upgrade winbox for us macOS users to 3.9 as a temp fix until Mikrotik one day decides to give us a native version. Fingers crossed he is willing to do it.

I really hope the 6.38 bugs are squashed

No, 6.38.1 also bugged, as 6.38 (ipsec tunnel dont work)
Only downgrade to 6.37.3 can help.

Upgrade from 6.37.2 to 6.38.1 bricked rb751u-2hnd ... simple setup, pppoe+nat+wifi ...

Edit: Had to netinstall it ... it works OK now.

The PPPoE speed issue seems to be solved, at least for me.

The Bridge not using the FP with IPsec and EOIP is solved for me too. Speed is back

Latest for Mac hasn't been done yet...

http://joshaven.com/resources/tools/winbox-for-mac/

Still stuck on 3.7..

Just upgrade from within winbox using the check for updates under tools. Works fine for me, although I am using my own wrapped version. It's pretty easy to do yourself if you want to learn. I use WineBottler with the separate Wine app as it keeps disk space usage down and Wine can be shared with other apps. Either way, with Winbox there's really no extra stuff you need, so it's easy to wrap.

2017-Jan-13 05:51

05:51

O RLY?

problem with speed is fixed on hap ac

Unfortunately the bug with IPSec - "pre shared key xauth" introduced in 6.38 was not fixed in 6.38.1

When testing VPN with Android phone VPN type "IPSec Xauth PSK" (Nexus 5X Android version 7.1.1) RouterOS incorrectly recognizes XAUTH password length.
Password for above user attempt is in reality 10 characters long (both in "/ip ipsec user" and in Android phone).

IPSec peer config: With the same config RouterOS version 6.37.3 succesfully established IPSec tunnel (Phase 1 and Phase 2).

Can anyone repeat the above problem?

This seems to have sorted the fan reporting issue on my 1009-8G-1S-1S+ that I reported after 6.37.3/6.38:

> system health print
fan-mode: auto
use-fan: main
active-fan: main
cpu-overtemp-check: yes
cpu-overtemp-threshold: 70C
cpu-overtemp-startup-delay: 1m
voltage: 24V
current: 829mA
temperature: 32C
cpu-temperature: 54C
power-consumption: 19.8W
psu1-state: ok
psu2-state: ok
fan1-speed: 4284RPM

Thanks guys!

Latest for Mac hasn't been done yet...

http://joshaven.com/resources/tools/winbox-for-mac/

Still stuck on 3.7..

Just upgrade from within winbox using the check for updates under tools. Works fine for me, although I am using my own wrapped version. It's pretty easy to do yourself if you want to learn. I use WineBottler with the separate Wine app as it keeps disk space usage down and Wine can be shared with other apps. Either way, with Winbox there's really no extra stuff you need, so it's easy to wrap.

Just did this -- it got me 3.8, but not 3.9 (am I misinterpreting announcement by strods, above?)

Its definitely winbox 3.9!

Latest for Mac hasn't been done yet...

http://joshaven.com/resources/tools/winbox-for-mac/

Still stuck on 3.7.. wonder if joshaven hides out here somewhere, if so, would you be so kind and give us a 3.9 version when you get a few minutes. Thank you.

**Update**

I have just dropped joshaven a quick email to see if he can upgrade winbox for us macOS users to 3.9 as a temp fix until Mikrotik one day decides to give us a native version. Fingers crossed he is willing to do it.

Click "tools -> check for updates" and upgrade your Winbox Mac version! You do not have to wait for somebody to re-compile it.

2017-Jan-13 05:51

05:51

O RLY?

GMT time

Latest for Mac hasn't been done yet...

http://joshaven.com/resources/tools/winbox-for-mac/

Still stuck on 3.7.. wonder if joshaven hides out here somewhere, if so, would you be so kind and give us a 3.9 version when you get a few minutes. Thank you.

**Update**

I have just dropped joshaven a quick email to see if he can upgrade winbox for us macOS users to 3.9 as a temp fix until Mikrotik one day decides to give us a native version. Fingers crossed he is willing to do it.

Click "tools -> check for updates" and upgrade your Winbox Mac version! You do not have to wait for somebody to re-compile it.

screen 13.jpg

Omg I never knew that, thanks so much for pointing that out to me. How could I be so blind. Thanks again.

Unfortunately the bug with IPSec - "pre shared key xauth" introduced in 6.38 was not fixed in 6.38.1

When testing VPN with Android phone VPN type "IPSec Xauth PSK" (Nexus 5X Android version 7.1.1) RouterOS incorrectly recognizes XAUTH password length.

Code: Select all

Jan/16/2017 21:23:42 ipsec,debug Configuration exchange type mode config REPLY
Jan/16/2017 21:23:42 ipsec,debug Short attribute XAUTH_TYPE = 0
Jan/16/2017 21:23:42 ipsec,debug Attribute XAUTH_USER_NAME len 6
Jan/16/2017 21:23:42 ipsec,debug Attribute XAUTH_USER_PASSWORD len 11
Jan/16/2017 21:23:42 ipsec,info Xauth login failed for user: ******

Password for above user attempt is in reality 10 characters long (both in "/ip ipsec user" and in Android phone).

IPSec peer config:

Code: Select all

 /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder 
 0   R address=0.0.0.0/0 passive=yes auth-method=pre-shared-key-xauth secret="**********" generate-policy=port-override policy-template-group=RoadWarrior 
       exchange-mode=main mode-config=RW-cfg send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 
       dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

With the same config RouterOS version 6.37.3 succesfully established IPSec tunnel (Phase 1 and Phase 2).

Can anyone repeat the above problem?

Thanks, will be fixed in next 39RC and 6.38.2

What about DHCP server issues, affected in ROS > 6.38? Please, read this thread: http://forum.mikrotik.com/viewtopic.php?f=2&t=116963

Migrated portion of Work network to v6.38.1, around 30 routers, wifi PtP and PtMP, Some GW and some switches. One device had to be netinstalled for some unknown reason (happens time to time), found 2 loops thanks to hardware STP feature. Is there or will be there a way to set STP roles to dynamic switch ports (like in bridge - edge/point-to-point/External FDB) ???

On HW STP, when upgrading don't panic if first device doesn't come back , most likely you need to migrate whole L2 segment to v6.38.1
for new STP implementation to work, for devices to speak in the same language.

macgaiver,
We are looking forward to improve hardware STP/RSTP functionality and add configurable STP/RSTP related port options in future.

sorry... mikrotik... iam very thankfull for all your work... but the last releases only peaces of s.... !!! they make me so much trouble !!!! capsman... wifi... dhcp...
im so pissed off !!!

please do something... bring back some stable releases in current....

with the config from 6.37.3 on 6.37.3 all work fine... with the same config on bugfix version 6.37.4 i have a lot of trouble too with capsman wifi like the current release....


grrrrrrrrrr

with the same config on bugfix version 6.37.4 i have a lot of trouble too with capsman wifi like the current release....

Can you be more specific, please?

HI - I made a topic out of this in General discussion - but I thought that i posted here as well (since it is a bug in 6.38.1)

This first happened in ROS 6.38. I have bonds to switches and servers (different vendors and different routerboards) 802.3ad (for throughtput). The bonds are always in bridges.

Untill last 6.37 all was working fine - but in 6.38 the slave ports of the bonds dinamically added to the same bridges the "master" bonds are in.
This STOPS the bonds from working. I am unable to communicate with devices connected to the switches or servers and switches connected to the bonds themselves.

In 6.38 I Was able to remove the dynamic member ports from the bridge - then everything started working again. And now - in 6.38.1 You blocked dynamic port removal - so i can't make the bonds work. I reverted to 6.38 - removed dynamic ports from the bridge and everything started working again.

Logically - i think this will always be a problem (the slave ports of a bond cannot take part in communication themselves only the master bond can - so the slaves cannot be a part of anything except the master bond).

Lukasz

@MT: Actually, what is the idea behind and the benefits of adding slave ports dynamically to the bridges?
We define a master port to handle it as a single port in any operations on the router, including in bridges.
If we need a specific port to be a separate instance in the bridge, we remove its slave status do it manually.
So again, why the the dynamic ports? It breaks everything about the master-slave port concept.
If this is needed for the new STP paradigm, do it for STP/RSTP only, without altering other functions...

One device had to be netinstalled for some unknown reason (happens time to time)

Which device? One of our CRS is trashed flash.

@docmarius
The adding of slave ports dynamically to the bridges allows monitoring STP/RSTP port status. None of the forwarding between switched ports actually happens in the bridge.

The adding of slave ports dynamically to the bridges allows monitoring STP/RSTP port status. None of the forwarding between switched ports actually happens in the bridge.

So basically it is only eye candy and should not interfere with other functions.
Thank you for clarifying this.

Hi

I have upgraded my CCR1009 to the version 6.38.1 and after the upgrade the router doesn't boot up. I did the upgrade through the Package List menu in RB OS.
The router keeps beeping and rebooting constantly.

best regards

The router keeps beeping and rebooting constantly.

Use netinstall to repair. After netinstall find router but BEFORE start installing - copy and save to safe place "Software ID" and "Key" values.

There is (still) an IPsec issue:

when I reconnect with initiator too fast the dynamic policy on responder is not purged, there is also a corrsponding SA left with no timeout values.
On responder side everything looks fine IPsec-wise but IPIP-Tunnel never comes online.
This situation can only be solved by either reconnectiong again from initiator side or by (now possible in 6.38.1) removing the peer entry on responder thus reinitiating phase1 and phase2.

why in resource IRQ sometimes show "switch0-ether1-usb1" sometime blank not show anything ? since ROS 6.37 if i remember corectly

Updated flawlessly on our 951Ui-2HnD, used as an extra AP. No issues. Will do the main firewall/router tonight to avoid protests from the fam.

Installs the new version 6.38.1 and my clients lost the internet immediately after the restart.
I had to download version and put a backup to work again

I have CCR1036-8G-2S+
Last version OS= 6.38

@Caribetech could you send supout.rif or config, from that router? We will try to replicate your issue locally.
@aditrodostress witch RouterBoard your are using ?

VLAN interfaces that have a bridge declared as a belonging interface don't work anymore. You need to declare a physical interface instead for it to work properly.
It worked ok in previous versions. At least in RB951G-2Hnd

VLAN interfaces that have a bridge declared as a belonging interface don't work anymore. You need to declare a physical interface instead for it to work properly.
It worked ok in previous versions. At least in RB951G-2Hnd

Same problem with CCR1009-8G-1S-1S+, VLAN port belongs to bridge and doesn't work,
Downgrade to ver. 6.37.4 (Bugfix only) and problem solved.

Regards,

EDIT: Typo corrected

@Caribetech could you send supout.rif or config, from that router? We will try to replicate your issue locally.
@aditrodostress witch RouterBoard your are using ?

found at RB750, RB450G, RB951Ui-2HnD but routerboard running ok without problem, just still confusing me why sometime appear sometimes dissapear

RB450G

ether1 dissapear on item list

RB750

sometimes IRQ not show any item

RB951Ui-2HnD

switch0 dissapear on item list

There is a known problem that entries from IRQ table can disappear. Do not worry about it since everything seems to work properly even without entries showing up.

VLAN interfaces that have a bridge declared as a belonging interface don't work anymore. You need to declare a physical interface instead for it to work properly.
It worked ok in previous versions. At least in RB951G-2Hnd

Same problem with CCR1009-8G-1S-1S+, VLAN port belongs to bridge and doesn't work,
Downgrade to ver. 6.37.4 (Bugfix only) and problem solved.

Regards,

EDIT: Typo corrected

Thanks, I did that and it works now.
Still, this is a significant bug that causes loss of conectivity to routers that use something as simple as vlans.
It needs to be fixed very quickly. How can such a bug skip verifications?

Some problems....

WARNING: SECURITY FLAW!???
upgrading to 6.38.1 automatically enable tikapp on all groups, also restricted groups...

NTP package are installed on second reboot using /file methods (using netinstall no problem)

on CCR1009-8G-1S-1S+ ethernet port order are switch/inverted:
ether5
ether6
ether7
ether8
ether1
ether2
ether3
ether4
sfp-sfpplus1
sfp-sfp1

Thanks.

Perhaps, it may be seen as only a cosmetic hiccup, but the Slave flag also switches place as well.

Here is a picture: http://imgur.com/a/gB1nc

Loss of packets on x86 based router and TP-Link 3269 cards. Downgrade to 6.37.3 solved problem.

Still having problems when on local bridge enabled rstp. After disabling rstp, everything works as it should. This was broken in release before this one.

Two Mikrotik routers connected to each other. When rstp is enabled, I can't ping the other Mikrotik.

HI - I made a topic out of this in General discussion - but I thought that i posted here as well (since it is a bug in 6.38.1)

This first happened in ROS 6.38. I have bonds to switches and servers (different vendors and different routerboards) 802.3ad (for throughtput). The bonds are always in bridges.

Untill last 6.37 all was working fine - but in 6.38 the slave ports of the bonds dinamically added to the same bridges the "master" bonds are in.
This STOPS the bonds from working. I am unable to communicate with devices connected to the switches or servers and switches connected to the bonds themselves.

In 6.38 I Was able to remove the dynamic member ports from the bridge - then everything started working again. And now - in 6.38.1 You blocked dynamic port removal - so i can't make the bonds work. I reverted to 6.38 - removed dynamic ports from the bridge and everything started working again.

Logically - i think this will always be a problem (the slave ports of a bond cannot take part in communication themselves only the master bond can - so the slaves cannot be a part of anything except the master bond).

Lukasz

Can anyone from @MT respond will this be fixed or is this a intended behavior and I have to stick to 6.37.x for ever?

I have troubles with my mAP (RBmAP2nD) after the installation of 6.38.1 (I am not quite sure if they were present with 6.38)
The router works somehow, reacts very slowly to the webfig page (i.e. firewall rules appear after 5-10 seconds) and finally stops being accessable from wifi after a couple of minutes. Especially when I try to add a virtual AP, the router gets inaccessable from wifi (SSIDs still visible, but passphrases arenot accepted any more)

Even a factory reset and very simple settings (only NAT-router for wifi clients for the internet) don't help.

Additional information: Internet access is via an LTE modem connected via USB, which worked fine at RouterOS 6.37.x and before (mode is one out of the compatible list)

Does somebody have a solution for the problem?

RB951G-2HnD
Reboots every minute after upgrade to 6.38.1. High CPU usage for a short time leads to constant reboots.

951G-2HnD
firmware 3.33
upgrade to 6.38.1 good
CPU load 1-4%, for "speedtest" - 14% max

When trying to recover faced another problem.

Problem description:
Ports order flip when restoring configuration from backup

Equipment used in test:
A. Mikrotik RB951G-2HnD firmware version 6.38.1
B. Mikrotik RB951Ui-2HnD firmware version 6.37.3

Steps to reproduce:
1. Backup configuration via Files (copy/paste in Winbox) on A
2. Copy backed up configuration via Files (copy/paste in Winbox) from A to B
3. Restore configuration via Files on B
4. Reboot B
5. Ports order flipped upside down (and wlan disabled)

For example, on A I have port 1 named ether1-master and port 5 named ether5-gateway. After restoring configuration on B port 1 named ether5-gateway and port 5 named ether1-master. Firewall rules and filters following invalid ports order.

1. Backup configuration via Files (copy/paste in Winbox) on A
2. Copy backed up configuration via Files (copy/paste in Winbox) from A to B
3. Restore configuration via Files on B

Backups are not meant to move/copy configuration between different routers. Do not use it to move the configuration even between two routers of exactly the same model. It not only may lead to an undesirable effect like the one you've just described, but it also copies values which are meant to be different on different boards (for instance interface MAC addresses).

When you need to transfer the configuration from one router to another use /export instead.

When you need to transfer the configuration from one router to another use /export instead.

Appreciated for this information. I've moved disputable configuration which leads to rebooting to a different router (RB951Ui-2HnD) with 6.38.1 firmware. Will see.

hAP ac, ROS 6.38.1, RouterBOOT 3.34:
Firewall/Address-List/Creation-Time shows GMT time, not time according to time-zone settings.
Can someone confirm this?

Regards,

ditonet - Yes, that is correct. We will try to fix this in next RouterOS release.

ditonet - Yes, that is correct. We will try to fix this in next RouterOS release.

Thanks.

Regards,

when will be fixed WIFI problem with old devices on Intel 2200BGN ? Still can`t connect to hAp Lite with old Toshiba laptop. Version prior 6.37 works perfect!

Well.... it's next beta.
It bricked my hAP ac on the bench - it had default config (I did an reset like 5 minutes before) with WiFi disabled. It just went into dead boot loop - only netinstall was working. I used update feature from Quick Set and the previous ROS loaded was 6.37.1.

I don't see (or I missed that) nothing about EoIP+IPSec bug fix forhttp://forum.mikrotik.com/viewtopic.php?f=2&t=116589&p=580377#p576524 but quickly testing it has been half-fixed - when local IP is changed it's also changed in IPSec policies.

p.s. Is there any way to safely upgrade large CAPsMAN network without great disturbance in services?

is there an update on the IPsec issue (see some posts above)?

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy which prevent any communication.

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy

Do you have DPD enabled?

Oh dear, it turned into one of those mornings. Upgraded device to 6.38.1 only to discover the problem with VLAN on a bridge interface not working, pushed onto 6.39rc20 where this all came right and must be fixed but now I'm finding a 4 port Ethernet switch trunk link between 2x CRS226-24G-2S+ devices will only work if only one of the 4 ports is enabled, the minute I enable port 2,3 or 4 the link goes down.

Is anyone else seeing similar problems?

Cheers, Dominic.

I have an hAP ac lite, after updating my ip system telephone stopped working.
I have Elastix distribution.

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy

Do you have DPD enabled?

yes, Interval 5 max. failures 3. but it does not do anything. the old policy ist still there after 15 seconds and even after several minutes and does not get removed at all.

devices used: ccr1009 as responder (with aes-ctr and sha256 to avoid reordering problem) and RB3011, RB751G, hAP ac lite, hEX, two RB951G as initiator

Hi all
I have problem with 6.38.1 wireless connection between 2 RB.
1 ap bridge, 2 station bridge. Both connected but no traffic.
6.37.3 works OK.
BTW now 1. 6.37.3 & 2. 6.38.1 also works OK ????

I have problem with 6.38.1 wireless connection between 2 RB.
1 ap bridge, 2 station bridge. Both connected but no traffic.

I saw similar problem, There is a traffic, but can't connect via winbox to RB with station-bridge mode set and no response to ping.
Unfortunately I haven't free time to deeply investigate this .

Regards,

Please would Mikrotik consider a global bridge setting to restore previous per VLAN (R)STP configuration. We got Netgear to update firmware on M4300 switches to pass through STP as-is and were finally able to implement redundant routers where two sets of bridges could provide VLAN bridging. eg vlan14-vlan10 bridged to vlan20-vlan99

The STP changes may conform to a 2014 standard but break service provider redundancy services which is a real problem...

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy

Do you have DPD enabled?

yes, Interval 5 max. failures 3. but it does not do anything. the old policy ist still there after 15 seconds and even after several minutes and does not get removed at all.

devices used: ccr1009 as responder (with aes-ctr and sha256 to avoid reordering problem) and RB3011, RB751G, hAP ac lite, hEX, two RB951G as initiator

I discovered that this:
ike1 - fixed ph1 rekey in setups with mode-cfg;
seems to be fixed for phase1.
but now the mode-cfg responder ip can get lost at phase2 rekey (not phase1 rekeay anymore).
it happend with quite a load on the interface, but not 100% load, cpu was almost idle at that time.
UPDATE:
when the problem occurs the dynamic allocated IP is lost on responder and therefore no traffic can flow. it seems to be possible to add a duplicated ip address on a dummy/loopback bridge to circumvent the problem for now, but this is clearly not intended behaviour
this does not solve the still present "invalid policy" problem
UPDATE2:
I opened a ticket for the "invalid policy" bug

please also fix this
thank you

Still having problems when on local bridge enabled rstp. After disabling rstp, everything works as it should. This was broken in release before this one.
Two Mikrotik routers connected to each other. When rstp is enabled, I can't ping the other Mikrotik.

Normally I am using just bugfix releases, but RSTP sounds very well, so I tried to upgrade one CRS112-8G-4S and enable RSTP. It is working on all ports except the ether6 - there is no forwarding nor learning, see the screenshot. Why? There is an old RB250GS 1.17 connected. It is not compatible? Newer RB260GS on ether8 is working fine.

Still having problems when on local bridge enabled rstp. After disabling rstp, everything works as it should. This was broken in release before this one.
Two Mikrotik routers connected to each other. When rstp is enabled, I can't ping the other Mikrotik.

I have the same problem, but I had short time to look using Wireshark what happens: bridge does not send Topology Change Notification BPDU, so both bridges think I'm root bridge and then disconnect the other bridge ("split brain")

I am not sure if it is related to this version, but I have problem with the LEDs. After reset they are all off. I use exported config to restore configuration (because I am teaching and students have various RB models) and there are these commands in export: The problem is that these commands are not working (error: no such item) and the only way to restore LEDs is manually set them using WinBox. Is the syntax in export wrong? Or is there a problem to set LED using commands? Tested on hAP and RB951Ui-2HnD.

I have no idea if this is related to the VLAN/Bridge/(r)stp troubles being reported, but I just discovered a bunch of instances of something interesting on my network.

A bunch of my VLAN interfaces had set on "Loop Protect" Send Interval of 00:00:00 and Disable Time of 00:00:00. Defaults are 00:00:05 and 00:05:00. I had to fix these settings before Winbox would allow me to make other changes.

6.38.3 version has been released:
http://forum.mikrotik.com/viewtopic.php?f=21&t=118642