MikroTik

Hello all.
I've managed to set up VPN tunnel between MikroTik RB750G and Cisco ASA 5510. Actually I've set up tunnels to 3 locations. 2 of them are behind an ADSL router which is setup as a modem, i.e. I bridge the ADSL router and use it as a modem. So the MikroTik is set up with a PPPoE connection and such. That works great and the VPN tunnel too. Then I have a ethernet connection on one place. There I just get a public IP and am supposed to be connected straight to the Internet. All that works fine too apart from the VPN tunnel. The tunnel comes up when the MikroTik router starts but it falls out after some time. Haven't timed it but we're talking maybe 15 minutes or so. I don't see any difference in this setup comparing to the other two. Other thing I'd like to mention is that after the VPN tunnel is established on the ADSL connections I can connect to the MikroTik routers with WinBox on the internal IP. But on this one, the one having the problem, I can't connect to it with WinBox on the internal IP nor the external one.
I've tried changing the router (RB750G) but that didn't make any difference. Am I missing something here? I know I didn't provide you with any config but is there any difference in how this should be handled? I set them all up the same, apart from the PPPoE part. Do I need to make some virtual interface external to connect to the VPN?

Any help much appreciated.

Confirm your FW rules. Can you ping public IP?

I can ping the public IP of both the MT router (from Cisco side) and the Cisco box (from MT side). With tunnel up I can ping internal IP of the MT from the Cisco site. Everything works apart from I can't connect with WinBox and Nagios can't pull informations from SNMP. On the other places, the ADSL ones, I have no problem connecting with WinBox and get SNMP info.
The tunnel seems to work now but it still falls out for some time every now and then. Yesterday it dropped around 8:50 or so and came back on at 12:30 or so. Today it dropped around 10:15 and came back on around 12:10. Not exact times but around that. I'm monitoring this with Nagios so I can see when it responds and when it stops responding. I'm still not able to connect with WinBox or get SNMP data.
Any ideas?

What is the tunnel? IPSec? Something else?

Any packet loss? Having a tunnel drop isn't unheard of, but having it drop for hours is, unless you've got some serious packet loss or something.

Run a port scanner to the wan of the box. Does 8291 show open? Did you try the web interface or ssh?

@gsloop - There's no packet loss to the external IP from my site, at least I don't see any problem in Nagios. But I get a drop in the tunnel for this time I mentioned. I shall try to pinging continuously the external port for some time and see if that shows anything.

@jerryroy1 - There are fewer ports open on the one having problem. I don't see any difference in the firewall rules though.

How are you monitoring with Nagios? Fping? How often and how many pings. [I use smokeping so I'm not sure how Nagios does it.]

Again, what's the tunnel type?
[You do have logging turned on for that protocol/service on the RB and have looked at the logs, right?]

-Greg

At the moment I'm just monitoring it with ping. I ping the external interface and the internal also but that of course only shows response when the tunnel is up. It's an IPsec tunnel, 3des sha1. It's the same setup I'm using on the other sites but they are behind ADSL modem (router bridged as a modem).
Everything seems to be working now, no fallout since the morning of the 22nd of August. (I know, not long but longer then usual). I know there hasn't been much use there so I'm interested to see it under stress.
Tbh, I don't know how to turn on logging for this specifically, haven't had the need to monitor these routers until now. I really like these routers and I'm sure this is just some failure of mine, some little thing missing or something.
Nagios or actually I'm using FAN, Fully Automated Nagios, that uses Centreon which is basically just a GUI for Nagios. I used just Nagios but with this it was easier to get the graphs and such.

Sounds like it was a broadband circuit issue or another device had the same IP assigned (if it actually has been resolved). FYI, you can setup logging for ipsec by going to System > Logging > and hit the plus sign. Then under topic choose ipsec and click ok. Now go back and select log in your winbox and you will see the logging for ipsec. Hope that helps.

Please add Karma if I have been of any service to you