connection tracking and ICMP

I have a strange behavior in connection tracking related to ICMP.

I try to explain.

I have a router RB493 FW version 4.16 that is connected to a network using two different interfaces: WAN and PPP.

I check the availability of the connections using ping, so I’m able to do a failover between these two interface.

The ping is directed to each interface using mangle.
I use a packet size = 128 to ping using PPP interface
I use a packet size = 90 to ping using PPP interface

These are the mangle rules that I use.

/ip firewall mangle
add action=mark-routing chain=output disabled=no dst-address=10.1.2.3
new-routing-mark=ck_wan packet-size=128 passthrough=yes protocol=icmp
comment=“mangle wan”
add action=mark-routing chain=output disabled=no dst-address=10.1.2.3
new-routing-mark=ck_ppp packet-size=90 passthrough=yes protocol=icmp
comment=“mangle ppp”

I have special route for these mangled packets
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-mark=ck_wan scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1
routing-mark=ck_ppp scope=30 target-scope=10

I have also connection tracking enabled.
I focus on the tracking of ICMP.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s

All the functining is perfect until you have a ping timeout on the ping using WAN interface.

Consider this situation:
WAN interface unable to reach my ping-host
PPP interface able to reach my ping-host


If I start pinging to the WAN interface
ping 10.1.2.3 size=128
10.1.2.3 ping timeout

After this I have to wait 10 seconds to have the ping success using the PPP interface.
90 byte ping: ttl=121 time=201 ms

Before the 10 seconds I’m not able to successful ping.

I think that connection tracking keep track of the route that I used to ping when I had the problem.
In case of ping timeout, the router doesn’t use the route I defined until the connection tracking timeout finish.

It is a normal behavior?
May I have problem in NAT if I reduce the time of icmp-timeout in connection tracking to 1 sec?

Any suggestions are welcomed.

I noticed something similar. A repeating ping will keep the icmp “connection” alive in connection tracking, and actually increase the timeout. Where I would expect the timeout to count down, it actually goes up. I watched this rise to ten minutes of timeout. Stop the ping, and the connection disappears within the expected timeout (10 seconds) despite the connection tracker claiming there’s about ten minutes left. Is this normal?