IPsec configuration storage(?) failure after upgrade (to 45beta19?) on RB3011
Posted: Sun Apr 14, 2019 5:52 pm
I'm running beta branch of v6 ROS on RB3011 (and other arm and mipsbe routers, on which I haven't observed the following failure).
After an upgrade (I assume to 45beta19, but I'm not sure) a couple of weeks ago all IKE2 links went down, and I was unable to establish L2TP/IPsec connection to router (it's a normal way to access management network in my config).
I've rebooted the router via LCD, no changes.
All other functionality apart from IPsec was OK.
As these links and management network access were not essential at the time, I've paused on this till I've got some free time to spare.
Today I've connected to management network with backup link and found IPsec config on RB3011 to be absolutely clear as it shows in Winbox.
Export of IPsec config via terminal stuck immediately after header.
Log shows script failures (timeouts) each 15 seconds (I'm running a script with scheduler each 15 seconds, the script queries address of a certain IPsec peer):
Thinking it's a glitch, I've upgraded the router to latest 45beta31 (that's why I'm not sure of version that caused the failure).
After upgrade and reboot the log showed:
I've made a backup and restored it. No changes - IPsec config is still clear.
Both config export and making supout.rif are stucking (export stucks after /ip firewall layer7-protocol, supout at 1%).
Power-cycled the router. No changes.
Netinstalled the same version of ROS, restored config. No changes.
Rolled back to stable 6.44.2. No changes. When I'm trying to add an IPsec policy or peer it just stucks.
Restoring from older backups works well, IPsec config is OK.
Any ideas how to restore IPsec functionality?
I could export individual config sections of from latest one (with corrupted IPsec config), export certificates, then restore older config and merge any changes/import any changed certificate into it, check/restore all IPsec configuration manually.
If there an easier way?
After an upgrade (I assume to 45beta19, but I'm not sure) a couple of weeks ago all IKE2 links went down, and I was unable to establish L2TP/IPsec connection to router (it's a normal way to access management network in my config).
I've rebooted the router via LCD, no changes.
All other functionality apart from IPsec was OK.
As these links and management network access were not essential at the time, I've paused on this till I've got some free time to spare.
Today I've connected to management network with backup link and found IPsec config on RB3011 to be absolutely clear as it shows in Winbox.
Export of IPsec config via terminal stuck immediately after header.
Log shows script failures (timeouts) each 15 seconds (I'm running a script with scheduler each 15 seconds, the script queries address of a certain IPsec peer):
Code: Select all
script,error script error: action timed out - try again, if error continues contact MikroTik support and send a supout file (13)Thinking it's a glitch, I've upgraded the router to latest 45beta31 (that's why I'm not sure of version that caused the failure).
After upgrade and reboot the log showed:
Code: Select all
l2tp,error could not add IPsec policy: std failure: timeout (13)I've made a backup and restored it. No changes - IPsec config is still clear.
Both config export and making supout.rif are stucking (export stucks after /ip firewall layer7-protocol, supout at 1%).
Power-cycled the router. No changes.
Netinstalled the same version of ROS, restored config. No changes.
Rolled back to stable 6.44.2. No changes. When I'm trying to add an IPsec policy or peer it just stucks.
Restoring from older backups works well, IPsec config is OK.
Any ideas how to restore IPsec functionality?
I could export individual config sections of from latest one (with corrupted IPsec config), export certificates, then restore older config and merge any changes/import any changed certificate into it, check/restore all IPsec configuration manually.
If there an easier way?