MikroTik

Greeting to all,

I am facing IPSEC tunnel connections that some times showup as UNREPLIED in the connection list and sit there unreplied until the connection is manually deleted. I tried several tracking settings hoping that Unreplied connections would just timeout, but I failed.

The timeout counter ( as seen on winbox ) decrements from 59 seconds down to 48-49 and is reset again to 59 again, keeping the connection live for ever, thus preventing a viable re-connection on the VPN tunnel to occur.

I hope I was clear enough.
Kindest regards.

is this the problem of 'ip ipsec installed-sa flush' ?

Sam

Hi Sam,

I think they are related. To solve the problem I have already covered one step with a 1 line script that flushes the SAs if the remote network doesn't respond. But it wasn't enough, as I have noticed that from time to time the IPSEC connection is Unanswered from some reason, until it is deleted, it sits there forever preventing a good connection to occur. I tought may be ajusting the timeouts would purge connection that have a U status after say 10 seconds.

I fought with ipsec for months and finally gave up on it. I don't know if its a bug in RouterOS or just the way it works ... too shifty for me : ) Always having to reboot / flush / disable-enable...

Sam

I am running lots of IPsec tunnels between RouterOS machines now for a loooong time, and rarely every have a problem with them. I think I only once needed to "do the flush" on a single tunnel.
The only other thing that got me some weeks ago was upgrading from 2.7.x to 2.9.34 - the IPsec config got so crewed up only a "system reset" would help...

Best regards,
Christian Meis

With tunnels that you have problems, you can configure in MANUAL not in IKE mode, with manual you can avoid some dropping since the phase 1 will not negotiate but it is statically configured. I used to have a problem with some Multitech VPN Routers RF550 in IKE mode, but with MANUAL the problem was not occurring, so I hope this can help you.

Regards.

Faton

Thank you guys for the feed-back. Although I am in the same mood as Sam, since I am facing the same trouble for 3 months, I want to give a last chance to IPSEC, at least on MT.

Fatonk, I am not sure where I can change the setting from IKE to manual. I've been searching (in winbox ) all the menus, without any clues on where to change from IKE to manual. Do you mean manual SAs ?

Cmit do you use manual SAs ?

Thanks again

No manual SAs here, sorry. Everythink running IKE established SAs, and no problems. Perhaps you could post your IPsec configs for us to check?

Best regards,
Christian Meis

Good day,

I tried manual SAs for one night and found the infamous Unreplied connection in the connection list display the next day. Deleting it manually led to a correct reconnection. Thus my thread title:

Is there a way to time-out UNREPLIED connections ? I tried all kind of settings in the tracking setting but did not find my way. Deleting Unreplied connections after a time-out could help in other occasion and also would maintain a cleaner system.

I'll post my IPSEC setting as soon as I can.

Thanks.

yes that's right I meant for manual SAs.

sorry that didn't work, post your IPsec configuration, and maybe will find something there, I have lot of IKE IPsec between Mikrotik and also between Mikrotik and Cisco and have no problem like yours.

Regards

Hello,

I haven't had neither a disconnection of the tunnel nor a Unreplied one since 3 days, still on manual mode. May the problem be fixed ? I'll let you know.

Thank you all for your help.

Just to let you know where my experiments lead me:

The IPSEC tunnels seem to be stable or at least to reconnect themselves since the Generic TimeOut sas set to 10 secondes instead of the default value ( 10 minutes ?) in the connection tracking. This setting seems to delete Unreplied connections after 10 seconds and thus allow new ones to occur.
I am not sure that this is the optimal solution , but it works.

Regards.

Sorry to post this twice. I had mistakenly posted it as a new thread...


Here is where it belongs.

Just in case some others may be facing the same issue. From experiment to experiment I ended in using a 2 lines script that does it all:

Netwatch will run this script in the event of a tunnel failure :

/ip ipsec installed-sa flush
/ip firewall connection remove [find protocol 50]

it seems to be working too, witout the need to temper with tracking defaults.

Hope this helps a few.

This solution works fine without NAT because in NAT schema netwatch can't ping with source address, right?


Pablo

Sorry for the thread revival. Today I had to reboot my core router (bad UPS, moved to another one). Once the router came back up I was having trouble with customers that use IPSEC. Everything else was perfect.

I had 4 separate customers who had tunnels that would not connect, pulled my hair out all day. After digging everywhere I found unreplied connections in tracker and terminated them and the tunnels all came back up. Anyone know what happened?

I don't have anything to do with the tunnels, they just traverse over my network (tunnels start on LAN side of cust CPE and traverse out to the internet).

I am running 5.11 on the core router in question (RB1100x2)

Any help would be appreciated!

No one has had this happen? I now have a fear that if for some reason my core router needs to be rebooted, I have to torch all ipsec connections that customers have to verify they all came back up. If they haven't, off to connection tracking to try to manually kill the "U" Unreplied connections