After the IPSEC tunnel is established between two sites (both Mikrotik) it works fine during testing.

Then after a day or so it stops working until we flush the Installed SAs on both sides.

On flushing SAs and pinging across once more, the VPN comes up without any issue.

I am using SNTP for both sites so clocks are good.

The following settings are the same for both sites:

IPsec policy:
Protocol: esp
Tunnel: yes

Peer:
Proposal check: obey
Send initial contact: Yes
Hash: md5
Encryption algo: 3des
DH group: modp1024
Lifetime: 1d 00:00:00
DPD interval: 120s
DPD Maximum failures

Proposal:
Auth algo: sha1
Encyption algo: 3des
Lifetime: 00:30:00
PFS group: modp1024

Any ideas why it is dropping? What can be done to stop it?

Thanks

Just to update, the link has been idle for some time and checking pings just now I get time out.

I could see that there were installed SAs both outbound and inbound, an additional duplicate set with different SPIs has now been created.

The 'Current Bytes' field for the new SAs is incrementing whilst I try to ping (which is failing), the old SAs count remains static.

Regardless of the above, the pings to the other routerbox still time out.

Any ideas or update on this?

One thing to try was not having 'Send initial contact: Yes' in both ends.

Hi i tried that but link is still unstable. Seems whenerver its idle after some time can no longer ping the other side.

Any other ideas?

Bump - hopefully someone can advise on this?

It is possible to pay Mikrotik for support for this intermittent connectivity issue?

Hi,

I can confirm that this is also an issue when running mikrotik/Cisco. I have scheduled a flush every 60min and so far it seems to work ok, not perfect but ok.

It have been like this since version 5.12 and mikrotik support ignores the existence of the error with saying that it works fine and that there must be something wrong with my config.

Thanks for the reply

What is not good is that you have the same issue as me, but I understand you run Mikrotik to Cisco, from your post I understand it was OK before 5.12 with the exact same config?

I have triple checked the configuration, it is set as per the guides on the wiki and from other sites.

My routerboards are 8 months old, how can I go about getting official word from Mikrotik on this issue?

I reported a similar bug to MT a couple of months ago. It was between Windows/MT and MT/MT
The main point of the report was that when you get a connection error for any reason (network problem, password problem, etc ...) MT doesn't fully clear the SAs. They disappear from your list but MT still tries to use them later, so the connection won't establish because both sides try to use different keys. You can fix it by flushing the SAs because that will also clear the phantom ones.

Anyways, I don't remember the issue fully, but MT tested and confirmed it as a bug. It was a few weeks before Ros 5.22 came out, so I don't think it had been fixed yet.

GL

Hi,

Sorry for my bad language, it didn't work before 5.12 either, I started using VPN from version 5.12, it have never worked flawless.

I suggest that you contact support@mikrotik.com. One would believe that VPN should work fine between two Mikrotiks as they are using the same RFC. Cisco does not follow the RFC completely - therefore there might be some compliance issues between them and Mikrotik.
But one would think that Mikrotik could have made a "Cisco"-setting or something which fixes this since Cisco have a very great advantage on the market.

If anyone can give access to both Mikrotik and Cisco and describe the way to repeat the problem then it might help to fix the problem.

If anyone can give access to both Mikrotik and Cisco and describe the way to repeat the problem then it might help to fix the problem.

The problem is that the problem is not manually repeatable. It happens randomly and I believe it could be like glucz says - there are phantom SA.

I also know that Cisco want to create a new SA everytime the SA times out, but the Mikrotik want to re-use the old once as per the RFC.

Do you have level=unique set in ipsec policy? This is required for tunnel to work properly with cisco.

hi @mrz, mine is set to level=require.

This is for native Mikrotik RB1100AH to Mikrotik RB751.

Should I also set this to unique for Mikrotik-to-Mikrotik tunnels?

Do you have level=unique set in ipsec policy? This is required for tunnel to work properly with cisco.

I have never tried that actually - but I am running it now on one of my MT/Cisco solutions. Will turn off flushing SA tonight and see if it works until tomorrow morning.

Thanks!

I have issue with RB1100AH(5.22, unique) and Cisco ASA 5510, but I can't give access.
As a workaround I use the script every minute:

RouterOS creates new SAs before SA lifetime expires and notifies about it remote peer. ASA simply does not respond and do not make new SAs. So without access to ASA or detailed debug logs from it is hard to tell why it is happening.

Glad the Cisco has some light shed on it - but any idea about my OP and Mikrotik to Mikrotik?

hi,

i had simmilar proplems with ipsec.

on both routers i use this script:
run this with scheduler every 5 minutes or somthing like. if you do so there is no idle....

works fine from 5.12-6.rc6 in a different mix of versions.

for the problem withe cisco asa i use a simmilar script like slech.

I have issue with RB1100AH(5.22, unique) and Cisco ASA 5510, but I can't give access.
As a workaround I use the script every minute:

Code: Select all

:local IPWatchServer 10.0.1.2
:local OutInterface ether1-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with DMZ is down: Flushing Installed SA !!!"
} else={
#  :log info "IPSEC tunnel with DMZ is OK !"
}

Can you explain the <3 at the end of the if command for the ping please.

Thanks

Thanks for the no idle script.

More importantly does anyone know the reason this is required?

How can i file a bug for my issue of drops between mikrotik devices using ipsec?

Regards

Chris

I have issue with RB1100AH(5.22, unique) and Cisco ASA 5510, but I can't give access.
As a workaround I use the script every minute:

Code: Select all

:local IPWatchServer 10.0.1.2
:local OutInterface ether1-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with DMZ is down: Flushing Installed SA !!!"
} else={
#  :log info "IPSEC tunnel with DMZ is OK !"
}

Can you explain the <3 at the end of the if command for the ping please.

Thanks

Why is it so slow to get responses on things here? Is this just not a active forum? Is there another forum that people use more?
Just curious cause for someone wanting to get to know more about the routerOS system you would think someone would be a little more responsive from the company?

I have issue with RB1100AH(5.22, unique) and Cisco ASA 5510, but I can't give access.
As a workaround I use the script every minute:

Code: Select all

:local IPWatchServer 10.0.1.2
:local OutInterface ether1-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with DMZ is down: Flushing Installed SA !!!"
} else={
#  :log info "IPSEC tunnel with DMZ is OK !"
}

Can you explain the <3 at the end of the if command for the ping please.

Thanks

Why is it so slow to get responses on things here? Is this just not a active forum? Is there another forum that people use more?
Just curious cause for someone wanting to get to know more about the routerOS system you would think someone would be a little more responsive from the company?

Stupid question to be honest, it's a user forum. Mikrotik have their support if you need help, support@mikrotik.com.

However - the "<3" means if the command "[/ping interface=$OutInterface $IPWatchServer count=4]" returns a value less than 3, do this.

so "<3" means "less than 3".

Marcus

[qoute]
Stupid question to be honest, it's a user forum. Mikrotik have their support if you need help, support@mikrotik.com.

However - the "<3" means if the command "[/ping interface=$OutInterface $IPWatchServer count=4]" returns a value less than 3, do this.

so "<3" means "less than 3".

Marcus[/quote]


Well sorry for wasting your time Marcus. I did look around on the Mikrotik Website and didn't not see what or how it was being referenced in the command.
I understand the ping command!
I understand the Less than 3!

But what I didn't understand on what was being returned if it was only returning the the good pings or the bad pings.
Cause if you go to the tools ping it returns bad and good. So I didn't realize that it was handing it differently.
My Bad for not explaining it better. I am getting frustrated that there is a issue between cisco and mikrotik IPsec and there is now resolution that I have seen yet.

Some of us are trying to understand these systems and have read the books and reference manuals but still need the push to understand some things.



---------------------------------------------------------------------------------------------------------------------------------------
There are NO dumb or stupid questions!

If someone says that their questions are dumb or are stupid, then they need a slight change of attitude....a change for the better. And that change can be made very-VERY easily.

Realizing that you need more information is a sign of being bright....that's not stupid and that's not dumb. Knowing that you want more knowledge shows that you are a clever and thoughful person.

Don't describe your mind or your questions with words that make you less than you are!

Change that thinking! Change that phrase!

There are NO dumb or stupid questions!

Instead say "I'm ready to learn."
---------------------------------------------------------------------------------------------------------------------------------------

Dear All,

I would like to run this script but it doesn't work somehow, could you please help me what may the problem? I didn't get any messages inside log.

Currently I'm running on 6.39rc40

In the meantime I recognized that I'm able to run it (without sa-type=all just simple /ip ipsec installed-sa flush) via terminal but via scheduler doesn't work (run count increasing but there is no massages inside log)

I also tried a simplified version but no change, it is working only from terminal

:if ([/ping 192.168.15.254 count=4]<3) do={
  /ip ipsec installed-sa flush;
  :log info "IPSEC tunnel is down: Flushing Installed SA !!!"
} else={
  :log info "IPSEC tunnel is OK !"
}



Thank you for your help in advance

B.