First thing is to configure other logging destinations ... memory gets cleared with reboot and any potential log entries from before reboot which might shed some light are gone.
Any more info on this... Having a Similar problem with a CCR2116-4S+
Reboot from watchdog timer.
did it about 8 times in a row.. and then stabilized .
In the log it shows that there is no DNS resolution. It could be a wrong DNS, a wrong IP or no gateway or any networking problem.You can enable ping Watchdog by specifying an IP address and you can disable the software Watchdog by unsetting the Watchdog Timer option.
at this point I am trying everything, so I currently have ip > firewall > connection > tracking disableddid you disable connection tracking?
There are no networking issues.Setting watchdog timer to zero will disable watchdog. Then fix your networking problems.
Same thing, I had CCR1036s without issue; since upgrading (if you want to call it that) to CCR2116s the rebooting issue has persisted through all the stable branch of firmware, all the way up to 7.7.Same problem.. had a CCR1036 working fine.. same config on a CCR2116 and it reboots...
Disabled connection tracking and it has been stable for 3 days.
Is it possible that the ROS is having a problem with the ARM64 processor
The CCR1036 is a Tile processor.. maybe that is where Mikrotik should start their debugging.
I don't believe that there is a "CONFIG" problem. I Have been emailing SUPOUT files to Support for 2 monthes.. and they keep telling me to upgrade to the newest firmware.
So I updated to 7.7 and it still rebooted till I disabled Connection tracking.. Crossing fingers that it stays stable.
Hi, using pair of 2116 with 2x bonding 802.3ad on copper. one on 7.5 one on 7.6. not a single issue since they were installed ( 116 days/90days)I tried disabling the bonding port and it didn't seem to make a difference. So I downgraded the CCR2116 back to 7.6 and so far no reboots for a few days. On version 7.7, it was rebooting 2-3 times daily and sometimes chain-rebooting (2-3 times in a row). So 7.7 made rebooting MUCH worse. If 7.6 is anything like with the CCR2004, I suspect it will start rebooting much less frequently. So far uptime of almost 2 days with no "watchdog reboots". I haven't tried disabling the watchdog timer; worried about locking the router up indefinitely. Also someone mentioned disabling connection tracking; unfortunately, I am doing some light NATing on this router. So I have to leave it on.
Thanks, but I guess its not worth to ship them into EUWe have about 30 1009s still left. Just a FYI.
Maybe not. . Up to you though.Thanks, but I guess its not worth to ship them into EUWe have about 30 1009s still left. Just a FYI.
Yep, we have turned off connection tracking on a number of customer routers, stopped the reboots. the ones we turned it off on did not have "heavy' NAT usage, really just for management devices, but still. I hope MT is following this tread to help out.So I moved my NATs to another router and completely disabled "Connection Tracking". So far, been stable for about 4-5 days (instead of 1-2 reboots per day); longest run so far. This router was in front of our server network which was handling our private servers and some office network. So when NATing was on, it tended to have a very large amount of connections to track. I'm thinking the problem with the CCR2xxx is with heavy connection tracking.
/system/watchdog> print
watch-address: none
watchdog-timer: yes
ping-start-after-boot: 5m
ping-timeout: 1m
automatic-supout: yes
auto-send-supout: no
/ip/firewall/connection/tracking> print
enabled: auto
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
loose-tcp-tracking: yes
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 1048576
total-entries: 1102
Yes, disabling the watchdog is good if you want to capture anything from the console, but will require a Powe cycle to get it going again. This is the bios watchdog, if the bios does not get a responce from the OS, it will reboot, this is what normally happens. Note, that it should not be a 100% cpu thing, i.e. if the router goes to 100% cpu, it should not cause this, but i could be wrong.Sirbryan, thanks for that information. I did try disabling the watchdog timer with a blank watch address; but that just caused it to eternally lock up when the time came (had to physically reboot it). It's always the crazy 100pct on 4 cores before it reboots or locks. My router is still stable so far after disabling connection tracking. We are also lagging 2 SFP+ ports into a single bond interface and running vlans on the 802.3ad bond. Maybe it's the combination of bonding and connection tracking that is giving us the problem.
# feb/01/2023 06:17:25 by RouterOS 7.8beta2
# software id = KMRG-539B
#
# model = CCR2116-12G-4S+
# serial number = HCX081Q7RWX
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
sfp-sfpplus1-coreswitch1 speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
sfp-sfpplus2-coreswitch2 speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=\
1Gbps
set [ find default-name=sfp-sfpplus4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=\
1Gbps
/interface bonding
add mode=802.3ad name=Po1 slaves=sfp-sfpplus1-coreswitch1,sfp-sfpplus2-coreswitch2 transmit-hash-policy=\
layer-2-and-3
/interface vlan
add interface=Po1 name=vlan2-old-core-stub vlan-id=2
add interface=Po1 name=vlan3-noc-core-stub vlan-id=3
add interface=Po1 name=vlan5-public-servers vlan-id=5
add interface=Po1 name=vlan6-virtual-sites vlan-id=6
add interface=Po1 name=vlan7-public-workstation vlan-id=7
add interface=Po1 name=vlan8-private-servers vlan-id=8
add interface=Po1 name=vlan9-private-workstations vlan-id=9
add interface=Po1 name=vlan11-storage vlan-id=11
add interface=Po1 name=vlan12-positronix-servers vlan-id=12
add interface=Po1 name=vlan13-positronix-hosted vlan-id=13
add interface=Po1 name=vlan14-positronix-private vlan-id=14
add interface=Po1 name=vlan20-guest vlan-id=20
add interface=Po1 name=vlan101-voip vlan-id=101
add interface=Po1 name=vlan113-mgmnt vlan-id=113
add interface=Po1 name=vlan250-cnwave-ipv6 vlan-id=250
/ip pool
add name=dhcp_pool-mgmnt ranges=10.30.100.20-10.30.100.254
add name=dhcp_pool-voip ranges=10.81.3.50-10.81.3.254
add name=dhcp_pool-office ranges=10.80.10.50-10.80.10.254
add name=dhcp_pool-guest ranges=10.81.9.20-10.81.9.254
/ip dhcp-server
add address-pool=dhcp_pool-guest interface=vlan20-guest name=dhcp1-guest
add address-pool=dhcp_pool-mgmnt interface=vlan113-mgmnt name=dhcp2-mgmnt
add address-pool=dhcp_pool-office interface=vlan9-private-workstations name=dhcp3-office
add address-pool=dhcp_pool-voip interface=vlan101-voip name=dhcp4-voip
/port
set 0 name=serial0
/routing id
add disabled=no id=xxx name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=default-v2 router-id=id-1
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/user group
add name=backups policy="ftp,read,sensitive,!local,!telnet,!ssh,!reboot,!write,!policy,!test,!winbox,!password,!web,\
!sniff,!api,!romon,!rest-api"
/ip firewall connection tracking
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=xxx interface=vlan3-noc-core-stub network=xxx
add address=xxx interface=vlan6-virtual-sites network=xxx
add address=10.30.0.1/16 comment=Mgmnt interface=vlan113-mgmnt network=10.30.0.0
add address=10.81.1.1/24 comment="Workstations(private) - Moved subnet" disabled=yes interface=\
vlan9-private-workstations network=10.81.1.0
add address=xxx comment="Workstations(public)" interface=vlan7-public-workstation network=xxx
add address=xxx comment=Voip interface=vlan101-voip network=xxx
add address=xxx comment="Servers(private)" interface=vlan8-private-servers network=xxx
add address=10.50.1.1/24 comment="Storage - Do not advertise" interface=vlan11-storage network=10.50.1.0
add address=xxx comment="Servers(public)" interface=vlan5-public-servers network=xxx
add address=xxx comment="Positronix Servers" interface=vlan12-positronix-servers network=xxx
add address=xxx comment="Positronix Hosted" interface=vlan13-positronix-hosted network=xxx
add address=xxx comment="Positronix Private Servers" interface=vlan14-positronix-private network=xxx
add address=xxx comment="Old Core Stub - Removing Later" interface=vlan2-old-core-stub network=\
xxx
add address=10.185.1.1/24 comment="CNWave IPv4 Mgmnt Ruby" disabled=yes interface=vlan250-cnwave-ipv6 network=\
10.185.1.0
add address=10.80.10.1/24 comment="Workstations(private)" interface=vlan9-private-workstations network=10.80.10.0
add address=10.81.9.1/24 comment="Guest Network" interface=vlan20-guest network=10.81.9.0
/ip dhcp-server lease
add address=10.81.1.51 client-id=ff:54:41:dc:74:0:1:0:1:2a:fb:e5:2e:70:f7:54:41:dc:74 mac-address=70:F7:54:41:DC:74 \
server=dhcp3-office
/ip dhcp-server network
add address=10.30.0.0/16 gateway=10.30.0.1
add address=10.80.10.0/24 comment="Office Workstations" dns-server=xxx gateway=10.80.10.1
add address=10.81.3.0/24 gateway=10.81.3.1
add address=10.81.9.0/24 gateway=10.81.9.1
/ip dns
set servers=xxx,1.1.1.1
/ip firewall address-list
add address=xxx list=secure
(cut out all my ip lists)
/ip firewall filter
add action=accept chain=forward comment="Allow radius requests" dst-address=xxx dst-port=1812-1813 \
protocol=udp
add action=drop chain=input comment="Secure router" protocol=tcp src-address-list=!high-secure
add action=accept chain=forward comment="Allowed public webservers" dst-address-list=allwed-public-webservers \
dst-port=80-88,443 protocol=tcp
add action=accept chain=forward comment="Allowed sip trunks" src-address-list=voip-trunks
add action=accept chain=forward comment="Allow trusted external ips" src-address-list=trusted-external-ips
add action=drop chain=forward comment="Securing Servers" dst-address-list=servers dst-port=\
21-23,80-88,389,443,3389,10000,5566,5900-5910 protocol=tcp src-address-list=!secure
add action=drop chain=forward comment="Securing certain web servers (outside of normal range)" dst-address-list=\
web-blocked dst-port=21-23,80-88,389,443,3389,10000,5566,5900-5910 protocol=tcp src-address-list=!secure
add action=drop chain=forward comment="Block all inbound to ad, printers, etc" dst-address-list=fully-blocked-hosts \
src-address-list=!secure
add action=drop chain=forward comment="Drop unsecure SSH, webmin and zimbra policyd to Positronix network" \
dst-address-list=positronix-networks dst-port=22,10000,7780 protocol=tcp src-address-list=!secure
/ip firewall nat
((These were the NATs we had to move to another router)))
add action=accept chain=srcnat comment="NAT bypass for mgmnt to server network" disabled=yes dst-address=\
10.80.1.0/24 src-address=10.30.0.0/16
add action=src-nat chain=srcnat comment="Guest Network NAT" disabled=yes src-address=192.168.75.0/24 to-addresses=\
xxx
add action=src-nat chain=srcnat comment="Mgmnt NAT" disabled=yes src-address=10.30.0.0/16 to-addresses=xxx
add action=src-nat chain=srcnat comment="Office Workstation(private) NAT" disabled=yes src-address=10.81.1.0/24 \
to-addresses=xxx
add action=src-nat chain=srcnat comment="Voip NAT" disabled=yes src-address=10.81.3.0/24 to-addresses=xxx
add action=src-nat chain=srcnat comment="Storage NAT - NO NATTING AT ALL " disabled=yes src-address=10.50.1.0/24 \
to-addresses=xxx
/ip firewall service-port
set sip disabled=yes
/ip route
add comment="VPN Static - Routing xxx VPN through Internet Connection" disabled=no dst-address=xxxx \
gateway=xxx
/routing ospf interface-template
add area=backbone-v2 auth=md5 auth-id=1 auth-key=xxx cost=10 disabled=no interfaces=vlan3-noc-core-stub \
networks=xxx priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan6-virtual-sites networks=xxx passive priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan113-mgmnt networks=10.30.0.0/16 passive priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan20-guest networks=10.81.9.0/24 passive priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan7-public-workstation networks=xxx passive \
priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan101-voip networks=10.81.3.0/24 passive priority=1
add area=backbone-v2 auth=md5 auth-id=1 auth-key=xxx cost=10 disabled=no interfaces=vlan8-private-servers \
networks=10.80.1.0/24 priority=50
add area=backbone-v2 auth=md5 auth-id=1 auth-key=xxx cost=10 disabled=no interfaces=vlan5-public-servers \
networks=xxx priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan12-positronix-servers networks=xxx priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan13-positronix-hosted networks=xxx passive \
priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan14-positronix-private networks=10.80.2.0/24 passive \
priority=1
add area=backbone-v2 auth=md5 auth-id=1 auth-key=xxx cost=10 disabled=no interfaces=vlan2-old-core-stub \
networks=xxx priority=1
add area=backbone-v2 comment="For IPV4 CNwave Mgmnt" disabled=yes interfaces=vlan250-cnwave-ipv6 networks=\
10.185.1.0/24 passive
add area=backbone-v2 disabled=no interfaces=vlan9-private-workstations networks=xxx passive
/system clock
set time-zone-name=America/Chicago
/system identity
set name=NOC-ServerOfficeRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.80.1.69
/tool romon
set enabled=yes