Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSEC State Sequence Errors

Post Reply
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

IPSEC State Sequence Errors

Sun Feb 16, 2014 11:43 am

Can someone explain what the IPSEC in-state-sequence-errors count reflects and how it may be resolved?

I have very high counts for the State sequence errors on my site to site tunnels.

in-state-sequence-errors count on my routers is upwards of 70,000.

The tunnels are working but terribly slow and file transfers are erratic.

My setup is IPSec in transport mode between the WAN IP's and then EOIP tunnels on top of IPSec.

I have tried adjusting the MTU of the EOIP tunnel as far down as 1300 and as far up as 1600 with no effect. If I remove IPSEC policies to encrypt the data the speed is fantastic.

Any help would be greatly appreciated.
Top
 
User avatar
rickfrey
Trainer
Trainer
Posts: 609
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:
Contact rickfrey

Re: IPSEC State Sequence Errors

Mon Feb 17, 2014 1:31 am

Can you post your config?
Top
 
propagandhi
just joined
Posts: 3
Joined: Mon Sep 09, 2013 3:28 am

Re: IPSEC State Sequence Errors

Mon Feb 17, 2014 2:16 am

Can you post your config?
I have attached the config below. Hopefully by obscuring the comments and IP's I havent made it too messy for you to understand.

Please let me know if you need further explanation.
Code: Select all
/interface bridge
add name=lobridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=\
    "PRIMARY WAN IP 111.233.211.66" name=ether1-WANIP

set [ find default-name=ether4 ] comment="LAN NETWORK - 192.168.0.250" \
    name=ether4-LAN
set [ find default-name=ether5 ] comment="NEW TEN RANGE IP" name=\
    ether5-TenRangeIP
set [ find default-name=ether11 ] arp=proxy-arp auto-negotiation=no

/interface eoip
add mac-address=02:F6:60:54:A4:72 mtu=1550 name=EOIP-Site2 \
    remote-address=111.234.211.67 tunnel-id=254
add mac-address=02:7C:97:31:03:03 name=EOIP-Site4 remote-address=\
    111.235.211.68 tunnel-id=922
add mac-address=02:0E:8D:07:1A:95 mtu=1420 name=EOIP-Site3 \
    remote-address=111.236.211.69 tunnel-id=22
/ip neighbor discovery
set ether1-WANIP comment="WAN IP"

set ether4-LAN comment="LAN NETWORK"
set ether5-TenRangeIP comment="NEW TEN RANGE IP"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add enc-algorithms=aes-256-cbc name=MyProposal
add name=MyPolicy128
add auth-algorithms=md5 name=IPSECMD5 pfs-group=none

/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 \
    redistribute-static=as-type-1 router-id=10.255.255.22
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=5000
/interface l2tp-server server
set authentication=pap,chap default-profile=default enabled=yes
/interface pppoe-server server
add authentication=pap,chap default-profile=MyL2tp disabled=no interface=\
    ether1-WANIP max-mru=1280 max-mtu=1280 service-name=MyHome
/interface pptp-server server
set enabled=yes
/ip address
add address=111.233.211.66/28 comment="PUBLIC IP" interface=\
    ether1-WANIP network=111.233.211.64
add address=192.168.0.250/16 comment="LAN IP" interface=\
    ether4-LAN network=192.168.0.0
add address=10.222.22.254/24 comment="NEW LAN IP" interface=\
    ether4-LAN network=10.222.22.0
add address=10.255.255.22/32 comment="Loopback IP for OSPF/MPLS" interface=\
    lobridge network=10.255.255.22
add address=10.255.254.81/30 comment="ROUTER IP TO HOME" disabled=yes \
    interface=EOIP-HOME network=10.255.254.80
add address=10.255.254.85/30 comment="ROUTER IP TO SITE 2" interface=\
    EOIP-Site2 network=10.255.254.84
add address=10.255.254.97/30 comment="Router IP to site 3" interface=\
    EOIP-Site3network=10.255.254.96
add address=10.255.254.62/30 comment="Router IP to site 4" interface=\
    EOIP-Site4 network=10.255.254.60

/ip firewall address-list
add address=192.168.0.0/16 list=LAN
add address=172.20.0.0/16 list=TrustedIPS
add address=10.222.0.0/16 comment="TEN RANGE LAN" list=TrustedIPS
add address=10.255.255.0/24 comment="LOOPBACK IPS" list=TrustedIPS
add address=10.230.0.0/16 comment="REMOTE Minor site Branches" list=TrustedIPS
add address=10.221.0.0/16 comment="SITE 2  LAN" list=TrustedIPS
add address=192.168.0.0/16 list=TrustedIPS
add address=10.255.254.0/24 comment="OSPF ROuter Network" list=TrustedIPS
add address=111.234.211.67 comment=Site2PublicIP list=TrustedIPS
add address=111.235.211.68 comment="Site4 Public IP" \
    list=TrustedIPS
add address=10.230.90.0/24 comment="Site 4 lan range" list=TrustedIPS
/ip firewall connection tracking
set enabled=yes generic-timeout=3m tcp-established-timeout=8h
/ip firewall filter
add chain=input protocol=icmp
add chain=forward comment="Established/Related Traffic" connection-state=\
    established
add chain=forward connection-state=related
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input comment="ALLOWED IP LISTS" src-address-list=TrustedIPS
add chain=forward src-address-list=TrustedIPS
add action=drop chain=input comment="DROP ALL ELSE"
add action=drop chain=forward
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
    EOIP-MyHome passthrough=no protocol=tcp tcp-flags=syn
add action=clear-df chain=input disabled=yes dst-address=10.230.83.0/24
add action=change-mss chain=forward disabled=yes new-mss=1350 out-interface=\
    EOIP-Site3 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=\
    !0-1350
add action=change-mss chain=forward disabled=yes new-mss=1350 out-interface=\
    EOIP-Site2 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=\
    !0-1350
/ip firewall nat
add chain=srcnat disabled=yes dst-address=10.230.0.0/16 src-address=\
    192.168.0.0/16
add chain=srcnat dst-address=10.221.0.0/16
add action=masquerade chain=srcnat out-interface=ether1-WANIP
/ip ipsec peer

add address=111.236.211.69/32 comment="Site 3" dh-group=modp768 \
    dpd-interval=30s dpd-maximum-failures=2 exchange-mode=main-l2tp \
    hash-algorithm=md5 lifetime=1h my-id-user-fqdn=111.233.211.66 secret=\
    "\$#ipsec_password\$#"
add address=111.234.211.67/32 comment=Site2 dh-group=modp768 \
    dpd-interval=30s dpd-maximum-failures=2 exchange-mode=main-l2tp \
    hash-algorithm=md5 lifetime=1h my-id-user-fqdn=111.233.211.66 secret=\
    "\$#ipsec_password\$#"
add address=111.235.211.70/32 comment=Site4 dh-group=modp768 \
    dpd-interval=30s dpd-maximum-failures=2 exchange-mode=main-l2tp \
    hash-algorithm=md5 lifetime=1h my-id-user-fqdn=111.233.211.66 secret=\
    "\$#ipsec_password\$#"

/ip ipsec policy
add comment="HERE TO SITE 3" dst-address=111.234.211.67/32 proposal=\
    IPSECMD5 sa-dst-address=111.234.211.67 sa-src-address=\
    111.233.211.66 src-address=111.233.211.66/32
add comment="HERE TO SITE 2" dst-address=111.234.211.67/32 proposal=\
    IPSECMD5 sa-dst-address=111.234.211.67 sa-src-address=\
    111.233.211.66 src-address=111.233.211.66/32
add comment="HERE TO SITE 4" dst-address=111.235.211.70/32 proposal=\
    Policy128 sa-dst-address=111.235.211.70 sa-src-address=\
    111.233.211.66 src-address=111.233.211.66/32

/ip route
add distance=1 dst-address=10.255.255.1/32 gateway=192.168.122.251
add distance=1 dst-address=172.20.0.0/16 gateway=192.168.22.254
add distance=1 dst-address=172.20.220.0/24 gateway=192.168.122.251

/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/lcd
set enabled=no touch-screen=disabled
/lcd interface
add interface=ether1-WANIP
add interface=ether4-LAN
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
add interface=ether11
add interface=ether12
/lcd interface pages
add interfaces="ether1-WANIP,ether3-SLAVE-HA-\
    PUBLICIPS,ether4-LAN,ether5,ether6,ether7,ether8,ether\
    9,ether10,ether11,ether12"
/mpls interface
set [ find default=yes ] mpls-mtu=1526
/mpls ldp
set lsr-id=10.255.255.22 transport-address=10.255.255.22
/mpls ldp interface
add disabled=yes interface=EOIP-HOMEtransport-address=10.255.255.22
add disabled=yes interface=EOIP-Site2 transport-address=10.255.255.22
add disabled=yes interface=EOIP-Site3transport-address=10.255.255.22
/mpls ldp neighbor
add transport=10.255.255.83
add transport=10.255.255.121
add transport=10.255.255.21

/routing filter
add action=discard chain=ospf-in prefix=10.222.22.0/24

/routing ospf interface
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    lobridge network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    ether4-LAN network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    EOIP-Site3 network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    EOIP-HOME network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    EOIP-Site2 network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" interface=\
    EOIP-Site4 network-type=broadcast
add authentication=md5 authentication-key="\$#ospf_password\$#" network-type=\
    broadcast
/routing ospf network
add area=backbone network=10.222.22.0/24
add area=backbone network=192.168.122.0/24
add area=backbone network=10.255.254.0/24
add area=backbone network=10.255.255.0/24
add area=backbone network=192.168.0.0/16

/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=CCR1016-12G
/system logging
add disabled=yes topics=pppoe
add disabled=yes topics=ipsec
add disabled=yes topics=e-mail
add action=disk disabled=yes topics=ospf
add disabled=yes topics=l2tp
add action=disk disabled=yes topics=igmp-proxy
add disabled=yes topics=interface
add disabled=yes topics=ppp
add disabled=yes topics=mpls
add disabled=yes topics=packet
add disabled=yes topics=ldp
/system ntp client
set enabled=yes mode=unicast primary-ntp=192.168.22.5 secondary-ntp=\
    192.168.21.5
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR

/tool netwatch
add host=10.221.121.254 interval=30s
add host=10.221.21.254
add host=192.168.22.5
add host=10.230.83.254
Top
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

Re: IPSEC State Sequence Errors

Mon Feb 17, 2014 12:53 pm

Strangely enough getting away from AES altogether has solved my problem completely.

I had tested all types of AES but sill me never thought to try any other algorithms.

Problem is solved now. Thanks for offering your help
Top
 
User avatar
rickfrey
Trainer
Trainer
Posts: 609
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:
Contact rickfrey

Re: IPSEC State Sequence Errors

Mon Feb 17, 2014 7:45 pm

Glad to hear that :D
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Frostbite1991, Google [Bot], KOK, lubara and 190 guests
  4. RouterOS
  5. General