MikroTik

Did anyone ever manage to write a script to periodically remove "unreplied" connections from the firewall tracking table.

In the last few months I have seen an increase in this problem, today over 2500 unreplied connections, and whilst these may seem innocent at first, they do seem to stop new connections from being establish all the time they remain in the table.

Are you dropping invalid connections in the forward and input chains?
What is your firewall configuration?

Sent from my SCH-I545 using Tapatalk

anyone?

need help here with a script to run every 5 minutes to delete from tracking table all connections that meet the following criteria.

1: tcp+(!SA)+(!local network ip's)+established

where !SA = assured

Or maybe it just cannot be done!

oh crap!

Cant we use the flags "unreplied" or "!assured"

need help here with a script to run every 5 minutes to delete from tracking table all connections that meet the following criteria.
1: tcp+(!SA)+(!local network ip's)+established

Just out of curiosity: Why do you want to remove established connections?

Regards,

It happens periodically, usually after a night of heavy p2p traffic...

The connection tracking table grows to around 5000 connections and 4000 of those are "unreplied".

It wouldn't bother me but there does seem to be a link to customers complaints for 24 hours afterwards (until the connections drop) that some phone lines appear "dead"...

Its a minor issue but an irritating one, those customers affected often restart their voip ATA devices and then the ATA re-establishes a SIP handshake..

I'm curious why a tcp connection can appear "established" in the conn track table, but at the same time remain "unreplied"

And its these random unexplained "un-replied" connections that seem to hog "port space" and prevent some SIP handshaking.

Sadly it appears that the "unreplied" flag is not usable in a script to periodically flush out these nasties.

I vote hat ver7 should have that option.

Did you try to decrease TCP SYN-timeouts in conntrack settings?

Regards,

yes. no difference.

Post your conntrack settings, please.
What is higher 'timeout' value for unreplied connections shown by Winbox?

Regards,

v5.25 does not have a time out setting for "unreplied" !

v5.25 does not have a time out setting for "unreplied" !

I've asked about shown values: Regards,

currently anything between 30 minutes and 23.40 hrs

curiously my filter is inverted.

I have to filter>

Unreplied is no........................... not yes as would be expected!

Unreplied is no........................... not yes as would be expected!

This bug was fixed year ago, in ROS v.6.0rc6 if I remember correctly.

Post your conntrack settings:

ros code

/ip firewall connection tracking export

Regards,

they are back at the default.

Have you forgotten these are "established" tcp connections with a default 1day timeout.

They have gone through the 4 way handshake protocol but remain "unreplied"

I do not see how any alterations to the tracking values will change anything without also affecting assured established connections.

Decrease 'tcp-established-timeout' to 5 minutes.

Regards,

P.S. I'm going on New Year's party