v6.38.5 [current]

Wed Mar 08, 2017 2:36 pm

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

What's new in 6.38.4 (2017-Mar-08 09:26):
*) chr - fixed problem when transmit speed was reduced by interface queues;
*) dhcpv6-server - require "address-pool" to be specified;
*) export - do not show "read-only" IRQ entries;
*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
*) firewall - do not allow to set "time" parameter to 0s for "limit" option;
*) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files);
*) hotspot - show Host table commentaries also in Active tab and vice versa;
*) ike1 - fixed "xauth" Radius login;
*) ike2 - also kill IKEv2 connections on proposal change;
*) ike2 - always limit empty remote selector;
*) ike2 - fixed proposal change crash;
*) ike2 - fixed responder subsequent new child creation when PFS is used;
*) ike2 - fixed responder TS updating on wild match;
*) ipsec - deducted policy SA src/dst address from src/dst address;
*) ipsec - do not require "sa-dst-address" if "action=none" or "action=discard";
*) ipsec - fixed SA address check in policy lookup;
*) ipsec - hide SA address for transport policies;
*) ipsec - keep policy in kernel even with bad proposal;
*) ipsec - kill ph2 on policy removal;
*) ipsec - updated/fixed Radius attributes;
*) irq - properly detect all IRQ entries;
*) l2tp-client - fixed IPSec policy generation after reboot;
*) l2tp-client - require working IPSec encryption if "use-ipsec=yes";
*) lcd - show fan2 speed only if it is available;
*) profile - classify ethernet driver activity properly in ARM architecture;
*) snmp - added SSID to CAPsMAN registration table;
*) snmp - fixed "/tool snmp-get" crash on session timeout;
*) snmp - fixed CAPsMAN registration table OID print;
*) snmp - fixed situation when SNMP could not read "/system health" values after reboot;
*) userman - allow access to User Manager users page only through "/user" URL;
*) userman - show warning when no users are selected for CSV file generation;
*) winbox - do not hide "power-cycle-after" option;
*) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled;
*) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings;
*) winbox - properly show BGP communities in routing filters table filter;
*) wireless - fixed scan tool stuck in background;
*) wireless - improved compatibility with Intel 2200BG wireless card;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

tomraider · Wed Mar 08, 2017 3:39 pm

my problem is not solved !!!
in webfig scan-list is not possible to modify:
in winbox .. yes !!!

see images here:
with winbox: http://ge.tt/1Ld0sAj2
with webfig: http://ge.tt/4b2UsAj2
http://ge.tt/5vtRsAj2

in version 6.36: webfig: http://ge.tt/952esAj2

MartijnVdS · Wed Mar 08, 2017 3:47 pm

*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;

Would this fix address issues like I've seen on upgrade to 6.38.3?

I've had several devices get stuck in a strange mode after upgrading to 6.38.3, where ssh didn't work, "webfig" showed "RouterOS v" (no version number) and the upgrade seemed to be in some half-failed state. In this state, System/Packages showed only the newly downloaded version, but in a "disabled" or "uninstalled" state.

Rebooting from a second partition with a slightly older RouterOS version on it and then upgrading again would make the devices work.

irghost · Wed Mar 08, 2017 4:13 pm

*) dhcpv6-server - require "address-pool" to be specified;

what? DHCPv6 in mikrotik? Or DHCPv6-PD??

csi · Wed Mar 08, 2017 4:42 pm

Hi,

till 6.38.3 it was possible to get a list if connected clients from CapsMan registration table via SNMP. With 6.38.4 the list is not longer available:

snmpwalk -v2c -c public 192.168.88.1 1.3.6.1.4.1.14988.1.1.1.5.1.1
iso.3.6.1.4.1.14988.1.1.1.5.1.1 = No Such Instance currently exists at this OID

Is this an issue or will the list no longer available. I prefer the first option of course, because I need the list

Many thanks in advanced.

omega-00 · Wed Mar 08, 2017 5:31 pm

I strongly believe this update was released now in response to the CIA Vault 7 / Wikileaks leak that became known yesterday.

I expect we may have a further update from Mikrotik has more info about the tools used when Wikileaks makes them available for analysis but kudos to them for the fast turnaround on getting something pushed out to address this.

iancaling · Wed Mar 08, 2017 6:35 pm

I strongly believe this update was released now in response to the CIA Vault 7 / Wikileaks leak that became known yesterday.

I expect we may have a further update from Mikrotik has more info about the tools used when Wikileaks makes them available for analysis but kudos to them for the fast turnaround on getting something pushed out to address this.

Can we please get confirmation on this? I'd like to get our equipment updated as soon as possible, or at least have a way to mitigate the CIA's exploit before it gets publicly released. People are speculating that disabling the HTTP server (port 80) will fix it, but I'd like to have an official annoucement.

omega-00 · Wed Mar 08, 2017 6:39 pm

viewtopic.php?f=21&t=119308&p=587512#p587512

We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.4 which removes any malicious files in devices that have been compromised

There's more info in the official post basically reiterating the same thing - ensure publicly available interfaces are locked down, as more information becomes available MikroTik will post an update.

lexell · Thu Mar 09, 2017 1:40 am

IPsec Xauth PSK NAT-T roadwarrior config (the Android-compatible one) still seems to be broken (since v6.38), phase 2 fails. Also tried on 6.38.3, 6.38.4 and 6.39rc45, same results.
Reverting to v6.37.4 (or 6.37.3 or older) removes the problem. No changes are done to the configuration.

mar/09 00:15:55 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[29243] 
mar/09 00:15:55 ipsec,info ISAKMP-SA established y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 
mar/09 00:15:55 ipsec,info XAuth login succeeded for user: ipsecuser
mar/09 00:15:55 ipsec,info acquired y.y.z.z address for x.x.x.x[24396] 
mar/09 00:15:56 ipsec,error x.x.x.x failed to pre-process ph2 packet. 
mar/09 00:15:59 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:02 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:05 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:08 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:11 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:14 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:17 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:20 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:23 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:18:20 ipsec,info purging ISAKMP-SA y.y.y.y[4500]<=>x.x.x.x[24396] spi=c8dc4a12a919f674:041afe17fc36e624:fefba073. 
mar/09 00:18:21 ipsec,info ISAKMP-SA deleted y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 rekey:1

The same issue was already reported by GioMac in the v6.38 thread (I haven't noticed any reply or acknowledgement):
viewtopic.php?t=116354#p575566

Does v6.38+ need some configuration changes for this type of IPsec setup or is this a bug?

athurdent · Thu Mar 09, 2017 11:42 am

DFS is still broken in Germany.

mrz · Thu Mar 09, 2017 12:26 pm

IPsec Xauth PSK NAT-T roadwarrior config (the Android-compatible one) still seems to be broken (since v6.38), phase 2 fails. Also tried on 6.38.3, 6.38.4 and 6.39rc45, same results.
Reverting to v6.37.4 (or 6.37.3 or older) removes the problem. No changes are done to the configuration.

mar/09 00:15:55 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[29243] 
mar/09 00:15:55 ipsec,info ISAKMP-SA established y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 
mar/09 00:15:55 ipsec,info XAuth login succeeded for user: ipsecuser
mar/09 00:15:55 ipsec,info acquired y.y.z.z address for x.x.x.x[24396] 
mar/09 00:15:56 ipsec,error x.x.x.x failed to pre-process ph2 packet. 
mar/09 00:15:59 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:02 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:05 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:08 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:11 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:14 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:17 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:20 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:16:23 ipsec,error x.x.x.x peer sent packet for dead phase2 
mar/09 00:18:20 ipsec,info purging ISAKMP-SA y.y.y.y[4500]<=>x.x.x.x[24396] spi=c8dc4a12a919f674:041afe17fc36e624:fefba073. 
mar/09 00:18:21 ipsec,info ISAKMP-SA deleted y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 rekey:1

The same issue was already reported by GioMac in the v6.38 thread (I haven't noticed any reply or acknowledgement):
viewtopic.php?t=116354#p575566

Does v6.38+ need some configuration changes for this type of IPsec setup or is this a bug?

Enable ipsec debug logs, generate supout file and send it to support. If you encounter a bug contact directly support, forum is not the right way to report bugs.

Thu Mar 09, 2017 2:39 pm

Original Topic updated :

What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

andrei · Thu Mar 09, 2017 2:49 pm

RSTP on bridges still blocking traffic.
Two RB951g connected with VLANs declared on bridges. Traffic doesn't pass while RSTP is enabled.
If it is disabled everything is fine. Going back to 6.37.4 bugfix fixes the issue. So, what is the problem?
Can anyone clear this issue? This started with 6.38. I know changes have been made regarding RSTP in 6.38
but the routers used all have the same ROS version.

anuser · Thu Mar 09, 2017 10:11 pm

So, I upgraded to 6.38.5. CAPSMAN log gives me this:

sid5632 · Fri Mar 10, 2017 9:25 am

I've updated four 951 routers with 6.38.5. Three of these had no problems, but the fourth went to a CPU load averaging 85% for no obvious (to me) reason.
It was like this from restart after upgrade until I discovered it 6 hours later. Rebooting it again fixed the problem.

Mazutti · Fri Mar 10, 2017 9:34 am

Upgraded hEX-Gr3, RB2011UiAS-2HnD, couple of hAP lites, couple of hAP AC lites, mAP-2n, RB951G, couple of mAP lites and a wAP. So far no problems.

On hEX I've experienced something strange, but not only in this version, and sometimes PPPoE client would come up "dead" after upgrade, and I have to disable it for a while and re-enable for it to work. Next time will generate supout and send to support. Anyone seen this on this device?

Wyz4k · Fri Mar 10, 2017 10:24 am

Edit: Scratch that.

virtman · Fri Mar 10, 2017 1:40 pm

Hi,

WARNING: Don't upgrade to this version (v.6.38.5) if you use CHRs !!!!!!

All my licensed instances after the upgrade when boot:

Loading system with initrd


XZ-compressed data is corrupt

 -- System halted_

I check with a fresh install of CHR in free mode... and after the upgrade... the same message.
DON'T UPGARDE!!!!

I hope the Mikrotik team first checks the CHR upgrades! This isn't professional

Fri Mar 10, 2017 1:44 pm

virtman - We test also CHR before release. This is something specific in your case. Please write to support@mikrotik.com and describe problem and CHR.

virtman · Fri Mar 10, 2017 1:57 pm

virtman - We test also CHR before release. This is something specific in your case. Please write to support@mikrotik.com and describe problem and CHR.

I think so, however this is common problem, not specific to my case: check it... install a fresh 6.38.3 CHR in ESXi 6.5... then update to 6.38.5... boom!
Are you sure that this isn't a common problem?

poisons · Fri Mar 10, 2017 6:11 pm

Strange situation. Today i try to update my CCR1009-8G-1S. Some info

 
 system resource print           
             uptime: 17m2s
            version: 6.38.5 (stable)

 system routerboard print 
                ;;; Current RouterBOOT does not support this feature
       routerboard: yes
             model: CCR1009-8G-1S
     serial-number: 
     firmware-type: tilegx
  factory-firmware: 3.22
  current-firmware: 3.33
  upgrade-firmware: 3.33

and i trying enable secure boot, but i get error

18:09:17 echo: system,info,critical Current RouterBOOT does not support this feature

My colleague stay on older version ROS 6.37.3 and he can enable protected boot. Bugs in new firmware or i do something wrong?

Wolfgang · Fri Mar 10, 2017 6:20 pm

RSTP on bridges still blocking traffic.
Two RB951g connected with VLANs declared on bridges. Traffic doesn't pass while RSTP is enabled.
If it is disabled everything is fine. Going back to 6.37.4 bugfix fixes the issue. So, what is the problem?
Can anyone clear this issue? This started with 6.38. I know changes have been made regarding RSTP in 6.38
but the routers used all have the same ROS version.

Hi,

I have the same problem with one of my RB1100AHx2 and VLANs. Started after the upgrade to 6.38.5. No problem on other routers with similar configuration

Fri Mar 10, 2017 6:50 pm

i trying enable secure boot, but i get error

Your device is too old (i.e. it was manufactured before the protected RouterBOOT feature was introduced). If you absolutely need this feature, you will have to update the backup RouterBOOT, which is dangerous (may irrecoverably brick your device if anything goes wrong). You can find more info and the links to a special update packages here.

poisons · Fri Mar 10, 2017 7:36 pm

Your device is too old (i.e. it was manufactured before the protected RouterBOOT feature was introduced). If you absolutely need this feature, you will have to update the backup RouterBOOT, which is dangerous (may irrecoverably brick your device if anything goes wrong). You can find more info and the links to a special update packages here.

Before i do something i usually read carefully instruction)))
So, what i do
1) Upgrade ROS to current version
2) Download http://www.mikrotik.com/download/share/ ... 3_tile.dpk and drag'n'drop to file section this file to my routerboard
3) reboot my RB by command /system reboot
4) In logs i don't see any errors, file disappear from file section in winbox.

Forgot to write - it did not help me ((

mikezsin · Sat Mar 11, 2017 2:10 pm

*) ipsec - deducted policy SA src/dst address from src/dst address;

and ipsec stops work, cause peer tries to connect from bridge's ip. (instead of 0.0.0.0)

mpadmin · Sat Mar 11, 2017 11:39 pm

I have no problem with most of my devices, but have port flapping with one specific configuration.

In this configuration I use 3 devices - two 951Ui-2nD and one 750 r2. The 750 r2 is powered by PoE from one of the 951Ui-2nD. The 750 r2 uses 3 ports as master/slave, one port for ISP, two to the two 951Ui-2nD.

All three devices act as independent routers, the 951Ui-2nD have two master/slave ports connected to 750 r2 and IPTV box. I use this because of the two IPTV boxes connected to the 951Ui-2nD that must go to the ISP directly.

This configuration works fine, but after update to 6.38.5 devices starts to do port flapping with ports that connects devices (not the ISP or IPTV port). I reboot them several times but it starts again and again – I see this in log in 750 r2. The STP settings is set to none on all devices.
But then I see something very strange – when I logon with Winbox to the 951Ui-2nD port flapping stops! When I logout – it starts again…

I have no time to do better research and downgraded devices to 6.38 and now there are no port flapping.

Sun Mar 12, 2017 7:33 am

Switch rstp off. Or upgrade all routers to the same Ros version.

mpadmin · Sun Mar 12, 2017 1:22 pm

Switch rstp off. Or upgrade all routers to the same Ros version.

Thank you for this, but as I say RSTP is off on all devices and I upgrade all devices to the lastest version.

Atnevon · Mon Mar 13, 2017 12:06 am

For some reason when we upgraded from 6.38.3 to 6.38.5 on our CCR, it seems to have blanked the config of The Dude completely. All of our network maps and devices are gone.

Starting over isn't going to be the end of the world, but it would be a lot easier if we don't have to. If anyone has any good suggestions, I'm all ears.

miharoot · Mon Mar 13, 2017 3:27 pm

I am updated 2011UAS-2HnD from version 6.34.6 with wireless-cm2 package to 6.38.5.
And i have a problem - old android 2.3.6 phone Lenovo can't connect through wifi, connect\disconnect in one second,
but in 6.34.6 it works good.
When I try to new connect with WDS i see in log:

wireless,info wlan1: WPS virtual button pushed
wireless,debug wlan1: 00:12:FE:AF:35:59 attempts to associate
wireless,info wlan1: WPS association from 00:12:FE:AF:35:59
wireless,debug wlan1: 00:12:FE:AF:35:59 not in local ACL, by default accept
wireless,info 00:12:FE:AF:35:59@wlan1: connected
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 started, associated
wireless,debug wlan1: 00:12:FE:AF:35:59 attempts to associate
wireless,info 00:12:FE:AF:35:59@wlan1: reassociating
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 interrupted
wireless,info 00:12:FE:AF:35:59@wlan1: disconnected, ok
wireless,info wlan1: WPS association from 00:12:FE:AF:35:59
wireless,debug wlan1: 00:12:FE:AF:35:59 not in local ACL, by default accept
wireless,info 00:12:FE:AF:35:59@wlan1: connected
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 started, associated
wireless,debug wlan1: 00:12:FE:AF:35:59 attempts to associate
wireless,info 00:12:FE:AF:35:59@wlan1: reassociating
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 interrupted
wireless,info 00:12:FE:AF:35:59@wlan1: disconnected, ok
wireless,info wlan1: WPS association from 00:12:FE:AF:35:59
wireless,debug wlan1: 00:12:FE:AF:35:59 not in local ACL, by default accept
wireless,info 00:12:FE:AF:35:59@wlan1: connected
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 started, associated
wireless,debug wlan1: 00:12:FE:AF:35:59 attempts to associate
wireless,info 00:12:FE:AF:35:59@wlan1: reassociating
wireless,info wlan1: WPS of 00:12:FE:AF:35:59 interrupted
wireless,info 00:12:FE:AF:35:59@wlan1: disconnected, ok

At the same time android 4.4.4 phone connect well.

I am fed and downgraded to 6.34.6

Deantwo · Tue Mar 14, 2017 9:50 am

Shouldn't these log messages be part of debug topic?

12:59:22 ipsec receive Information. 
12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
12:59:22 ipsec sendto Information notify. 
12:59:22 ipsec sendto Information notify. 
12:59:22 ipsec receive Information. 
12:59:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
12:59:42 ipsec receive Information. 
12:59:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
12:59:42 ipsec sendto Information notify. 
12:59:42 ipsec sendto Information notify. 
12:59:42 ipsec receive Information. 
12:59:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:00:02 ipsec receive Information. 
13:00:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:00:02 ipsec sendto Information notify. 
13:00:02 ipsec sendto Information notify. 
13:00:02 ipsec receive Information. 
13:00:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:00:22 ipsec receive Information. 
13:00:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:00:22 ipsec sendto Information notify. 
13:00:22 ipsec sendto Information notify. 
13:00:22 ipsec receive Information. 
13:00:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:00:42 ipsec receive Information. 
13:00:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:00:42 ipsec sendto Information notify. 
13:00:42 ipsec sendto Information notify. 
13:00:42 ipsec receive Information. 
13:00:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:01:02 ipsec receive Information. 
13:01:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:01:02 ipsec sendto Information notify. 
13:01:02 ipsec sendto Information notify. 
13:01:02 ipsec receive Information. 
13:01:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:01:22 ipsec receive Information. 
13:01:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:01:22 ipsec sendto Information notify. 
13:01:22 ipsec sendto Information notify. 
13:01:22 ipsec receive Information. 
13:01:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:01:42 ipsec receive Information. 
13:01:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:01:42 ipsec sendto Information notify. 
13:01:42 ipsec sendto Information notify. 
13:01:42 ipsec receive Information. 
13:01:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:02:02 ipsec receive Information. 
13:02:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:02:02 ipsec sendto Information notify. 
13:02:02 ipsec sendto Information notify. 
13:02:02 ipsec receive Information. 
13:02:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:02:22 ipsec receive Information. 
13:02:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:02:22 ipsec sendto Information notify. 
13:02:22 ipsec sendto Information notify. 
13:02:22 ipsec receive Information. 
13:02:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:02:42 ipsec receive Information. 
13:02:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:02:42 ipsec sendto Information notify. 
13:02:42 ipsec sendto Information notify. 
13:02:42 ipsec receive Information. 
13:02:42 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:03:02 ipsec receive Information. 
13:03:02 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:03:02 ipsec sendto Information notify. 
13:03:02 ipsec sendto Information notify. 
13:03:03 ipsec receive Information. 
13:03:03 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK 
13:03:22 ipsec receive Information. 
13:03:22 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE 
13:03:22 ipsec sendto Information notify. 
13:03:23 ipsec sendto Information notify. 
13:03:23 ipsec receive Information. 
13:03:23 ipsec xxx.xxx.xxx.xxx notify: R_U_THERE_ACK

dgcapel · Tue Mar 14, 2017 10:59 am

I detected a poor WiFi speed with CAPsMAN with this configuration: CCR1009 + 2x hAP AC + iPhone 6S Client. Speed : 20 Mbps (unstable). All devices with 6.38.5.
Return to the bug fix release (6.37.5) and the problem fix it. Speed: 60 Mbps (stable)

Mazutti · Wed Mar 15, 2017 6:00 am

Anyone else seeing NTP Client / Server problems? Can´t get my Mikrotiks to sync with public or mikrotik server, happening appearently since I upgraded to 6.38.5.

Anyway, happening on mmips, smips and mipsbe.

kamillo · Wed Mar 15, 2017 11:43 am

I have NTP package installed on CRS125 and it is working OK:

          enabled: yes
             mode: unicast
      primary-ntp: 91.189.91.157
    secondary-ntp: 91.189.89.198
  dynamic-servers:
           status: synchronized

Mazutti · Wed Mar 15, 2017 5:13 pm

Thanks for checking it out. Turns out that my primary server wasn't working, and for some reason it would not use the secondary.

Sorry for the false alarm.

Note · Tue Mar 21, 2017 10:34 am

So, I upgraded to 6.38.5. CAPSMAN log gives me this:

same issue here, log is full of that but under wlan1. RB951G

resetsa · Sat Mar 25, 2017 12:46 pm

After update from 6.37 broken ipsec throw nat, when mikrotik a client (no phase 2).
In 6.39rc also have this problem.

HarBenly · Tue Mar 28, 2017 11:29 am

I am running v6.38.5! Thanks for sharing this.

honzam · Thu Mar 30, 2017 7:28 pm

New vulnerability?
http://cve.mitre.org/cgi-bin/cvename.cg ... -2017-7285

kevintitus81 · Fri Mar 31, 2017 5:22 pm

^^^ I saw that last night and figured I would come and share...just to help raise some awareness to the issue.

https://www.exploit-db.com/exploits/41752/

Latest DOS exploit for 6.38.5, looks like it only effects the winbox port 8291. So if you can drop outside input traffic to that port maybe will prevent an attack.

Regards,
Kevin Titus
MTCNA /Sophos
kevintitus81@gmail.com

105547111 · Fri Mar 31, 2017 7:45 pm

The RC's stuck on 6.39rc58 for 3 days now smells of 6.39 final soon.

BUT I bet with MUM on no updates to next week to this 6.38.5 floor

Sad....

j_shirazi · Sun Apr 02, 2017 5:57 pm

virtman - We test also CHR before release. This is something specific in your case. Please write to support@mikrotik.com and describe problem and CHR.

Hi,

I agree with virtman, it is a common problem and happened to me on ESXi 6.0 too, but it works fine on VMware Workstation.
Please test it not only on workstation version of VMware but also ESXi.

Regards
j_shirazi

xtsoler · Sun Apr 02, 2017 10:29 pm

After upgrading to 6.38.5 I'm having issues with capsman. The capsman manager also has a local wifi interface which registers as cap client. When enabled, any wifi clients that connect to that wifi cannot properly use the network. I can't even log into winbox. The problem appeared after the upgrade. Anyone else getting similar issues?

**I downgraded to 6.37.5 (RB433AH) and the problem went away. Please note that my second caps client is still on 6.38.5 (RB951-2n) and no issues occur.

STEPHANVS · Mon Apr 03, 2017 11:40 am

I don't know where and what was introduced/changed, but Skype calls fail with this version. On 6.29.1 it works.

felted67 · Mon Apr 03, 2017 3:31 pm

Hi everyone,

anybody here who has problems with CAPsMAN in v6.38.5 ?

When adding new interfaces in CAPsMAN, there is a "zero"-mac entry.
Or perhaps I am some kind of faulty in configuring ?
When adding a new Caps-Interface the MAC (not the radio-MAC) was
added correctly (not only "0"s) in the past.

Thanks & Greetz from Germany.....

Detlef

HarBenly · Wed Apr 05, 2017 2:45 pm

Can the user manager of Mikrotik needs manual update or it can be done automatically?

Note · Fri Apr 07, 2017 10:54 am

I have some simple queues.

Im facing an issue when im trying to change in "total" tab the total queue type from everything else to default small. Then in total statistic tab, all counters stuck to last state there were and do not respond until i change again the total queue type to something else (default, red, e.t.c). I cant even reset. Nothing work. All counters stuck to the last values before change. In statistics tab everything still work. It only happens in "total statistic tab". Im facing that issue also in another RB with latest bugfix firm on. i do not know if im doing something wrong......

Chupaka · Fri Apr 07, 2017 2:31 pm

https://wiki.mikrotik.com/wiki/Manual:Q ... ple_Queues

One configuration item in /queue simple' can create from 0 to 3 separate queues - one queue in global-in, one queue in global-out and one queue in global-total. If all properties of a queue have default values (no set limits, queue type is default), and queue has no children, then it is not actually created. This way, for example, creation of global-total queues can be avoided if only upload/download limitation is used.

So if all parameters on this tab are default ones (default-small and no max-limit), 'Total' queue is actually not being installed. No queue - no statistics.

Note · Sat Apr 08, 2017 12:22 pm

but i have limits in queues. I shape via PCQ

Chupaka · Sun Apr 09, 2017 10:22 pm

but i have limits in queues. I shape via PCQ

are those limits in 'total' part, or 'download/upload' only? for the latter, two queues (up and down) are being created, third queue (total) is not

johnm · Mon Apr 10, 2017 10:57 pm

Hi
I have 2 problems whit new soft.
1. I update my CCR1009-8g-1s to last ver and now i have problem whit log in from Winbox. MT work about 23h and now i no log in, restart fix this problem to next about 23h and problem go back. I have install in this router Dude server maybe this is broble?\
When Winbox no work no work too The dude client.
I can log in router via ssh - this connections is ok

ooo now testing and whet disable dude server winbox go back:)

2. No work NTP server and client. I try telnet to 123 port but no response.

lazystone · Wed Apr 12, 2017 7:50 pm

5GHZ does not work for me - "detecting RADAR".
The same on v6.38.3.

v6.38.1 seems to work though.

P.S. Country: Sweden

MartijnVdS · Thu Apr 13, 2017 10:16 am

5GHZ does not work for me - "detecting RADAR".
The same on v6.38.3.

v6.38.1 seems to work though.

P.S. Country: Sweden

Radar detection is required on some frequencies. Some require just a minute of scanning, others 10 minutes. If no radar is found the AP will go into "running - AP" mode.

rextended · Fri Apr 14, 2017 6:20 pm

Your device is too old (i.e. it was manufactured before the protected RouterBOOT feature was introduced). If you absolutely need this feature, you will have to update the backup RouterBOOT, which is dangerous (may irrecoverably brick your device if anything goes wrong). You can find more info and the links to a special update packages here.
Before i do something i usually read carefully instruction)))
So, what i do
1) Upgrade ROS to current version
2) Download http://www.mikrotik.com/download/share/ ... 3_tile.dpk and drag'n'drop to file section this file to my routerboard
3) reboot my RB by command /system reboot
4) In logs i don't see any errors, file disappear from file section in winbox.

Forgot to write - it did not help me ((

viewtopic.php?f=2&t=94303&p=580437&hili ... ot#p580430

vainkop · Sun Apr 16, 2017 5:47 pm

After upgrade from 6.37.5 to 6.38.5 l2tp ipsec stopped working for all clients with "failed to pre-process ph2 packet".
pptp keeps working fine.
Downgraded to 6.37.5

Problem solved / update:
Solution google translate from here: http://bozza.ru/art-247.html

The default policy glitch on the mikrotik

With absolutely correct settings for the L2TP / IPSec connection on the client (for example, Windows 7) and on the server (Mikrotik), you can not establish a VPN connection. In this case, the message "failed to pre-process ph2 packet" goes to the Mikrotik log, and the error on the Windows 7 client is 789: the L2TP connection attempt failed because of an error that occurred at the security level ... This problem can occur on Firmware up to the last stable at the current time (6.30).

Solution: delete the default group in the IP - IPSec - Groups menu, create a new one and specify it in IP - IPSec - Peers in the Policy Template Group field.

According to Hopy, another solution to the problem with groups may be the execution of this command after re-creating the group:

ip ipsec peer set 0 policy-template-group =*FFFFFFFF

Perhaps this is a legacy from the old configurations, there is no exact answer, but nevertheless, this is an option. By the way, it is possible for this reason (and similar) that you should still perform a complete reset of the device before the initial setup. But this is not a requirement, that's for sure.

tawhwat · Tue Apr 18, 2017 5:12 am

I just found two problems in the Webfig interface:
(1) All date information in the time related field is wrong dramatically, e.g. the up time of an interface may show

Last Link Down Time		Aug/24/2019 15:48:17
Last Link Up Time		Aug/24/2019 15:57:16

while the current time is:

Time 10:06:17
Date	 Apr/18/2017

Affected Model: hEX (MMIPS)

2. The drill down configuration page for each entry under "/interface bridge filter" is gone, When I click an entry, only a blank page is displayed. The only workaround is to use the CLI.
Affected Model: hEX (MMIPS), x86

Hope they can be fixed in next release

Tue Apr 18, 2017 11:06 am

tawhwat - First issue is already resolved in 6.39rc version. Second issue is now reported and will be fixed as soon as possible.

ditonet · Tue Apr 18, 2017 12:24 pm

Address list entry creation time bug ( described here: viewtopic.php?f=21&t=116951&p=579862#p579862) still exists.
It is also not fixed in 6.39rc72.

Regards,

Tue Apr 18, 2017 1:36 pm

ditonet - Yes, it is not fixed yet. When it will be fixed, then that will be mentioned in changelog.

ditonet · Tue Apr 18, 2017 1:42 pm

OK, thanks.

Regards,

k.untner · Mon Apr 24, 2017 10:57 pm

Anyone seen that Vulnerability? :
http://www.cvedetails.com/cve/CVE-2017-7285/

My RB751G-2HnD gave up on last Saturday. No Packets out from any Port anymore - It ran RouterOS v6.38.5 MIPsBE. Only Netinstall helped, to get it working again ...
Should i downgrade to 6.37.5 to get safe at the moment?
regards, Klemens

Tue Apr 25, 2017 12:06 am

viewtopic.php?t=120270

danielcomcom · Tue Apr 25, 2017 11:03 am

Anyone else having an issue with dropped packets lasting for about 30 seconds every few hours?
Both sides of the Mikrotik can ping it while this is happening, just not passing through the mikrotik. Just configured as a simple bridge. Emailed support several times never got a response yet.

Tue Apr 25, 2017 2:19 pm

Anyone seen that Vulnerability? :
http://www.cvedetails.com/cve/CVE-2017-7285/

My RB751G-2HnD gave up on last Saturday. No Packets out from any Port anymore - It ran RouterOS v6.38.5 MIPsBE. Only Netinstall helped, to get it working again ...
Should i downgrade to 6.37.5 to get safe at the moment?
regards, Klemens

It is not a vulnerability. It is the given devices inability to handle the traffic that your ISP can provide. I suggest to choose a better router for your high speed line. There is no specific version or hardware here. All internet connected devices "suffer" from this. It is simple exhaustion of resources when too much traffic is sent to a public port. Even version 6.34 or older has always acted in the same way. Your issues is most likely unrelated.

felted67 · Tue Apr 25, 2017 9:11 pm

Hi everyone,

perhaps an offtopic question here:

Has the connection tracking time value influence on the "NAT - keep alive"-value ?
Or is there a special switch to set the "NAT - keep alive"-value ?

I am suffering some problems with the "old" problem VoIP/SIP on natted udp connections.

How long last the NAT-translation entries ?
Is there a hardcoded value or is it controlable ?

Thanks & Greetz from Germany

Cheers.......Detlef

kuzma2000 · Thu Apr 27, 2017 1:12 am

Hi
I have a problem witch email notifications in version 6.38.5.

I specify the server address, login and password in Notification.
But Dude does not use these settings.
Here is the log from the mail server:
"SMTPD" 2456 92655 "2017-04-27 00: 00: 07.656" "172.x.x.x" "SENT: 220 mail.test.kiev.ua ESMTP"
"SMTPD" 2456 92655 "2017-04-27 00: 00: 07.662" "172.x.x.x" "RECEIVED: EHLO admin"
"SMTPD" 2456 92655 "2017-04-27 00: 00: 07.662" "172.x.x.x" "SENT: 250-mail.test.kiev.ua [nl] 250-SIZE 20480000 [nl] 250-AUTH LOGIN [Nl] 250 HELP "
After that, the connection is exceeded.
I think, that Dude use only default settings by SMTP connections.

Is this a bug in version 6.38.5?

Fri Apr 28, 2017 3:55 pm

Version 6.39 has been released in current channel:
viewtopic.php?f=21&t=121196

Who is online