Hi everyone!

Our customers use many MikroTik gateways. The routers are connected in a star topology with L2TP/IPsec VPN. The main router is L2TP server, the site gateways connect there with L2TP client interface. When the internet connection down for a few minutes (on the site gatways), the L2TP connections are not re-established (if the internet connection is ready again.)

Example:
1. L2TP/IPSec VPN is working between the central (main) router, and the sites routers.
2. Internet connection of a site router will be lost for a few minutes (e.g. site "A") - Usually internet connection problem caused by ISP.
3. Internet connection is UP again.
3. The site router (e.g. site "A") can't reconnect to central (main) router with L2TP/IPsec.

We are see the log:
ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
l2tp-out-company: terminating... - session closed
l2tp-out-company: disconnected
ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
l2tp-out-company: terminating... - session closed
l2tp-out-company: disconnected
ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
l2tp-out-company: terminating... - session closed
l2tp-out-company: disconnected
ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx

Sometimes we see the log that, "old tunnel is not closed yet."


When this problem becomes current, we disable the L2TP interface (on the client) for 30 minutes. After enabling the interface, the L2TP VPN will work again. We change to main MikroTik router to Sophos XG, but the problem is same.

MikroTik log:
ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx
l2tp-out-company: terminating... - session closed
l2tp-out-company: disconnected
ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:xxxxxxxxxxxxx:xxxxxxxxxxxxx

Sophos log:
xl2tpd[5827]: control_finish: Peer requested tunnel 4204 twice, ignoring second one.

I was looking for solutions in the MikroTik forum, but I only found one. The "solution" that, I have to write a script, which pings through the WAN interface. If the script can't ping through the WAN interface (e.g. 8.8.8.8), take disable the L2TP-client interface for 30 minutes, after enable again. I cannot accept this solution, there is certainly another option. The error might be caused by a configuration issue.

Can you please help me solve the problem?

Thanks in advance!

Gabor

I have been facing the same problem !

The solution is similar for me. On the server side I disable the PPP/secrets for the clients and disable peers and proposals on IPsec (occasionally I have to flush the SAs also) and then enable them back, the link then comes back online.

I can confirm this happens when a change in public IP addresses happens or there is an "instantaneous" problem with the internet connection .

I am using 6.48.2

and disable peers and proposals on IPsec (occasionally I have to flush the SAs also)

Please check if this situation like:
PPP > Active Connections -> No connected client
IP > IPSec > Policies -> You see still connection from that client who is not connected and this is dynamic entry who cannot be remove

WorkARound:
CLI: /ip ipsec proposal enable YourProporsalName ;
WinBox: select your proporsal and click Enable button.

You can check my way of analyze that problem and script who detect that and do a re-enable proporsal and send me a e-mail with notification what exac client have that problem.
[WorkARound] IPSec PH2 "ready to send" without Active Peer, User cannot connect, Win10 #809 or #0 [SOLVED]
For now I wait for post like this to check if other ppl have that problem.

Hi SiB,

Thanks your answer! Unfortunately, my problem is not the same. On our routers, the IPsec VPN is immediately established. We are still waiting for the right answer. Maybe can I open a support ticket at MikroTik?

OK, I found it. I sent a ticket to MikroTik Support. If I get answare, I will post it!

Maybe can I open a support ticket at MikroTik?

You should!.
And that problem you write is similar to my branches (not only a users from Win10).
Check next time if in IP IPSec Policies you see the OLD tunnel as connected.

I am very sad. I wrote to the Support on May 27, 2021, but I did not receive any relevant, useful information. In fact, I haven’t received any response in one month. If I have new information, I will write in the post.

Re-Write again your last sentence to support.
my remote branches who cannot connect they have in Policy a dynamic entry and I do re-enable Proporsal who refresh all dynamic entry and fix that situation.

I use netwatch.

When it's down... I flush the IPSec info.

Wrote it a few years ago and it just does it's thing.

gotsprings write:

I use netwatch.

remember that not all scenario netwatch can be use, it not have a src-address, it's not detect flapping and give false-positive results too.
and Flush not always fix stuff