L2TP problem

antoninn · September 9, 2012, 8:20am

Brand new RB1100AHx2, about 50 L2TP tunnels, nothing nonstandard in configuration, after one day without any problem tunnels suddenly are not able to connect. Log from L2TP server:

07:39:45 l2tp,ppp,info tunnel6: terminating… - could not add address: already have such address (6)

I have sent suppout files to support…

antoninn · September 10, 2012, 7:04am

Another info: when this problem occurs, all dynamic IP addresses of VPN interfaces are marked as “invalid” - so another solution is to manually remove all invalid addresses.

antoninn · September 11, 2012, 1:46pm

Still no answer from support…

antoninn · September 12, 2012, 2:53pm

Another newly created autosupout.rif file sent to support, still without answer. Hey Mikrotik, I am not some kind of fcuknig tester, I am your customer with routers in production environment!

antoninn · September 14, 2012, 12:56pm

Still no answer from support after 6 days, I would like to work in such support… Today I noticed, that similar problem with not-deleted items in addresses exists also in Firewall-Mangle. My VPN connection change MSS and currently I have lot of mangle items in list. It seems that on VPN disconnection address and also mangle items are not deleted correctly.
Is somebody from Mikrotik interested in such kind of information?

antoninn · September 14, 2012, 8:02pm

Few minutes after my last post support sent me an answer to all my mails. Definively it is a bug in L2TP server. When L2TP server crashes, it does not delete assigned IP addresses so later it is not possible to complete connection because L2TP server is not able to insert internal IP into address list.
The only temporary solution is to create scheduled script which periodcally deletes all dynamic and invalid addresses.

gsloop · September 17, 2012, 6:42pm

Yeah, fully understand the frustration. MTK and VPN support is just a bunch of bubble-gum and duct tape, IMO.

But, can you give us a sample of a script that does this?
I’m not clear how you’d implement the script.

antoninn · September 17, 2012, 10:20pm

I configured those VPN on new RB1100AHx2 as a replacement of old x86 based Mikrotik with ROS 3.17 where this configuration worked several years without any hitch, so my dissapointment is very strong. Instead fully functional router I have to scratch my left ear by right hand with the help of scheduled script…

Scheduled script, that removes all dynamic invalid addresses is found here: http://forum.mikrotik.com/t/retrieve-all-ip-addresses-based-on-flags/59488/1

NetworkPro · September 19, 2012, 6:29am

I find it hard to believe this bug still exists? Can I take a look at this setup and config, mate? Send me an e-mail with the WinBox access or write to Skype: hypnologic

antoninn · September 19, 2012, 11:35am

cha cha

seany · September 20, 2012, 6:47am

Oh it still exists. I get it weekly if not more and it’s very frustrating. It fails to remove other stuff like dynamic bridges too. I get this with L2TP clients and I’m also sure I’ve had it with PPP and VRRP. Been affected by this for well over a year and still no fix…

NetworkPro · September 20, 2012, 6:53am

Have you done the usual things? Upgrade bootloader, reset and start from scratch, reinstall with NetInstall and start clean with a sightly different (better) configuration, change x86 hardware platform etc etc. ?

rrestoration · September 20, 2012, 7:18am

L2TP can have problems with firewalls, NATs, and proxies too. In this setup, firewalls need to be configured to allow both the IKE traffic and ESP-encapsulated data. If your VPN client computer is behind a NAT, both the VPN client and the VPN server must support IPsec NAT-Traversal (NAT-T). Note, however, that the VPN server can’t be located behind a NAT, and that L2TP/IPsec traffic can’t flow through a proxy.

http://www.hairtransplantlahore.com

gsloop · September 20, 2012, 8:54pm

Have you done the usual things? Upgrade bootloader, reset and start from scratch, reinstall with NetInstall and start clean with a sightly different (better) configuration, change x86 hardware platform etc etc. ?

Perhaps I’m missing something, but didn’t Mikrotik actually confirm that it’s a known bug/problem and suggest the script as a fix? If so, why are you suggesting they do other stuff to fix the problem when Mikrotik says - “Yeah, known problem.”

[And even if it’s fixed, to have Mikrotik suggest a work-around, rather than suggest a real fix - I’m not sure which is worse?]

-Greg

antoninn · September 20, 2012, 9:01pm

This is what guy from Mikrotik support wrote to me (I suppose after he analyzed suppout.rif file):

At one point l2TP server crashed. And left all addresses unremoved.
We will try to repeat the problem and fix it in the future. But currently you can
add a simple script in scheduler which removes all invalid addresses from your
router.

SiB · November 2, 2013, 5:12am

Hello,
IP Address and Mangle have good marks as Invalid and Dynamic but I use a L2TP with profile who have limit 2/2 and I see that new connection report into logs:
03:42:04 l2tp,ppp,error could not add queue: already have such name (6)
and a queue ARE NOT mark as INVALID, it means I cannot remove it from script without remove other good queue :(.

Case go to Mikrotik Support but you say it’s OLD and KNOW issue - it’s bad for me.
1100AHx2 v5.21.

My current script:
http://forum.mikrotik.com/t/remove-dynamic-invalid-address/61681/1

dannnic · November 18, 2013, 7:08am

@antoninn

I’m planing to configure a similar setup for my client with 50 concurrent connections. Did your issue has been resolved with newer version of firmware or Hardware ?

I hope to use the new RB1100AHx2 with v6.6
really appreciate your suggestions …