MikroTik

Posted: **Thu Nov 01, 2012 4:44 pm**

Hello!
We deploying IPSEC connections between HQ (cisco ASA) and small branch offices (routerboard).
RB connect to ASA without any problem and works fine.
The problem is if ASA drop ipsec&isakmp SAs after period of inactivity.
As I see RB knows that connection is down because it removes peer from [/ip ipsec remote-peer] but SAs still present in [/ip ipsec installed-sa].
And traffic to tunnel dropped as prohibited. Tunnel cannot not be reestablished until SAs not flushed.

Normal operation

[admin@N3] > /ip ipsec remote-peers print
 0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=29m36s
[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0xE1C9CEB src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="697c459526423d6add00a9bc4bb183f14fca363a"
      enc-key="e8b958a48d7c45f1243b516a1351e7db14b34583d8ca8e61" addtime=nov/01/2012 18:00:00 expires-in=7h30m14s
      add-lifetime=6h24m/8h current-bytes=149688

 1 E  spi=0x44F37007 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="acb9f886b3bf0629d51ff2116091da923c13ee21"
      enc-key="faef95f257f84da59036ac1b34f01eaf773971d293cf7036" addtime=nov/01/2012 18:00:00 expires-in=7h30m14s
      add-lifetime=6h24m/8h current-bytes=149772
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST                                     SIZE TTL TIME  STATUS
192.168.1.1                                56 254 2ms
192.168.1.1                                56 254 1ms
    sent=2 received=2 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=2ms
HOST                                     SIZE TTL TIME  STATUS

[admin@N3] >

After ASA drops ipsec sa

[admin@N3] > /ip ipsec remote-peers print

[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0xE1C9CEB src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="697c459526423d6add00a9bc4bb183f14fca363a"
      enc-key="e8b958a48d7c45f1243b516a1351e7db14b34583d8ca8e61" addtime=nov/01/2012 18:00:00 expires-in=7h27m21s
      add-lifetime=6h24m/8h current-bytes=156100

 1 E  spi=0x44F37007 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="acb9f886b3bf0629d51ff2116091da923c13ee21"
      enc-key="faef95f257f84da59036ac1b34f01eaf773971d293cf7036" addtime=nov/01/2012 18:00:00 expires-in=7h27m21s
      add-lifetime=6h24m/8h current-bytes=156352
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST                                     SIZE TTL TIME  STATUS
192.168.1.1                                             timeout
192.168.1.1                                             timeout
    sent=2 received=0 packet-loss=100%
HOST                                     SIZE TTL TIME  STATUS

Flush installed sa and everything fine again

[admin@N3] > /ip ipsec installed-sa flush
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST                                     SIZE TTL TIME  STATUS
192.168.1.1                                56 254 2ms
192.168.1.1                                56 254 2ms
    sent=2 received=2 packet-loss=0% min-rtt=2ms avg-rtt=2ms max-rtt=2ms
HOST                                     SIZE TTL TIME  STATUS

[admin@N3] > /ip ipsec remote-peers print
 0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=15s
[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x47321FF src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="80ba7181dbb482e1ea7f0a95f9758da887a584cc"
      enc-key="88d1a0516e4359ac4e9b345c1084a51f7a5f4cc1102a3ecc" addtime=nov/01/2012 18:33:27 expires-in=7h59m42s
      add-lifetime=6h24m/8h current-bytes=1624

 1 E  spi=0x9EFFD9D2 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="6f588056a4c576a7468ca046c817c87a61635663"
      enc-key="e216630082a6848dfe89f4572c80bd3705dd392cf3beff39" addtime=nov/01/2012 18:33:27 expires-in=7h59m42s
      add-lifetime=6h24m/8h current-bytes=1624
[admin@N3] >

Posted: **Sat Nov 03, 2012 1:06 am**

Lots of people have this same problem. I've decided that IPSEC simply is not reliable on Mikrotik because of the problem that it doesn't always reconnect after a network drop.

Search the forums, you will find this problem several times. You can workaround with scripting and such, but it isn't fun.

Posted: **Sat Nov 03, 2012 1:34 am**

Yes this is a very annoying problem and one of the reasons we dont use IPSEC on RouterOS.

I posted a script that flushes the stale SA's in the main thread about this problem.

Posted: **Sat Nov 03, 2012 12:11 pm**

I have never seen an IPSec router that didn't had its quirks, especially when connecting to other brands, and RouterOS isn't an exception, but on the other hand I have hundreds of tunnels running rock steady, with a RB at least in one end.

Post complete IPSec configuration, both ends, you have to rule out a configuration mistake (lifetime/lifebytes, DPD, initiator).
I know little to nothing about ASA (and its quirks), but I bet someone in here does. If you end up without a solution, then write to Miktotik support. The more detailed the error report, the bigger the chance they can fix it.

Posted: **Sat Nov 03, 2012 6:20 pm**

Look in this thread for a solution to your problem and an explanation to why it happends. Its not Mikrotik that causes this, its cisco IPSec requirements that cause this.

http://forum.mikrotik.com/viewtopic.php?f=2&t=66178

MikroTik

Disconnected IPSEC peer problem

Disconnected IPSEC peer problem

Re: Disconnected IPSEC peer problem

Re: Disconnected IPSEC peer problem

Re: Disconnected IPSEC peer problem

Re: Disconnected IPSEC peer problem