A quick overview of my network. I have a main location at my home where I have a Watchguard XTM525 firewall. From here, I have three Sit to Site VPNs. One goes to a Watchguard 26w, another goes to a virtual pfSense firewall, and the third goes to a Mikrotik RB951G-2HnD (6.38.5). The VPNs to the 26w and the pfSense firewall I never have any issues with.
But the one to the Mikrotik, for reasons I haven't been able to figure out, randomly stops passing traffic, and the only way I can get it to pass traffic again is to go to IP > IPSec > Remote Peers, double click the peer and click 'Kill connections'. Once I do that, the tunnel is re-established and it passes traffic normally again.
I've looked over the config multiple times trying to figure out what I might be missing, but I haven't been able to find anything that stands out. Does anyone have any suggestions as to wha tI might be missing that would fix this issue?
Re: Site to Site IPSec VPN stops passing traffic
No one has any thoughts as to what is causing the VPN from the Mikrotik to stop passing traffic randomly until I kill the connections?
Re: Site to Site IPSec VPN stops passing traffic
It may be something about time outs, or 1 end kills the connection after some idle time.
When the connection is dead (but still shows connected on both sides), use packet sniffer to capture IPSec packets.
Also turn on logging for IPSec, maybe something useful will show in the logs.
I did this with Cisco to Mikrotik. There was a problem with the Cisco shutting down the IPSec tunnel but the Mikrotik wasn't releasing it's security associations. My solution was to use a script that would ping the Cisco ever 5 seconds. if the ping failed 3 times in a row, the script would kill peers and flush the SAs. For me this issue only happened once a day, nobody noticed the 20 seconds of downtime each day.
When the connection is dead (but still shows connected on both sides), use packet sniffer to capture IPSec packets.
Also turn on logging for IPSec, maybe something useful will show in the logs.
I did this with Cisco to Mikrotik. There was a problem with the Cisco shutting down the IPSec tunnel but the Mikrotik wasn't releasing it's security associations. My solution was to use a script that would ping the Cisco ever 5 seconds. if the ping failed 3 times in a row, the script would kill peers and flush the SAs. For me this issue only happened once a day, nobody noticed the 20 seconds of downtime each day.
Re: Site to Site IPSec VPN stops passing traffic
If you have PFS (perfect forward secrecy) enabled, try disable-ing it. Check all the timers lifetime for phase1 & phase2.
Another thing to try is to ping every 1-3 seconds through tunnel, from one side and from another, and see if the tunnel goes down, even if constantly passing traffic through tunnel.
Another thing to try is to ping every 1-3 seconds through tunnel, from one side and from another, and see if the tunnel goes down, even if constantly passing traffic through tunnel.
Who is online
Users browsing this forum: aboshhab and 21 guests