Connectivity Issue Between Mikrotik and Microsoft Azure

RouterOS General
1

Dear Technical Support,

I hope this email finds you well. I am facing a connectivity issue between our Mikrotik router and Microsoft Azure in a site-to-site VPN configuration and would like to request assistance in resolving this matter.

The scenario is as follows: We use Mikrotik as the core of our network, responsible for establishing a site-to-site VPN with Microsoft Azure. The problem occurs sporadically when our internal network loses the ability to communicate with the Azure network. It is important to note that the VPN remains in the “UP” state, indicating that the connection is still active.

The only temporary solution we have found to restore communication between the networks is to reboot the Mikrotik. After the reboot, the networks can communicate normally again.

To try to address this situation, we have taken the following steps:

Updated the Mikrotik’s operating system.
Updated the Mikrotik’s firmware.
Verified the absence of memory and processing overload on the Mikrotik.

However, the issue persists, and we are seeking a permanent solution to prevent interruptions in communication between the internal networks and the Azure network.

We kindly request your assistance in identifying the root cause of this problem and implementing a solution that ensures the stability of the VPN connection between Mikrotik and Azure.

2

Best to open ticket with support@mikrotik.com.
They don’t read all threads here.

Also, you did not specify exactly how you make the connection to Azure. I assume IPSEC site to site ? Or BGP ?
What Mikrotik device are you using ?
Which ROS version ?

I have a couple of mAP devices and 1 AC3 all running ROS 7 using IPSEC to connect to Azure and they can be running for months without any problem.

Best to provide more info, a diagram can help, and export your config.
Post between code quotes leaving out serial number and any secret keys.
Also make sure to specify the Azure side of your connection.

3

hi there,

I'm currently using the RB750g3 with the MikroTik RouterOS 6.49.6 version.

The tunnel is set using IPSec site-to-site.

Follow the IPSec Configuration

sep/01/2023 16:44:07 by RouterOS 6.49.6

software id = 9WPQ-8VKS

model = RB750Gr3

serial number =

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,3des name=vpn-azure
nat-traversal=no
/ip ipsec peer
add address=20.226.29.50/32 exchange-mode=ike2 local-address=177.159.203.226
name=AzureBrazilSouth profile=vpn-azure
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,3des name=Azure-Proposal
pfs-group=none
/ip ipsec identity
add peer=AzureBrazilSouth secret="MySecret"
/ip ipsec policy
add dst-address=10.0.0.0/16 peer=AzureBrazilSouth src-address=192.168.1.0/24
tunnel=yes
add dst-address=10.0.0.0/16 peer=AzureBrazilSouth src-address=172.16.0.0/29
tunnel=yes


Follow the Firewall Config

sep/01/2023 16:47:00 by RouterOS 6.49.6

software id = 9WPQ-8VKS

model = RB750Gr3

serial number = CC210E834868

/ip firewall address-list
add address=192.168.1.4 list=sip-register
add address=172.16.0.100 list=sip-register
add address=10.0.0.0/24 list=local-addresslist
add address=192.168.1.0/24 list=local-addresslist
add address=172.16.0.0/29 list=local-addresslist
/ip firewall filter
add action=drop chain=input comment="DEFAULT POLICIES" disabled=yes dst-port=
!443 log-prefix=temp protocol=tcp src-address-list=!local-addresslist
add action=drop chain=forward disabled=yes src-address-list=
!local-addresslist
add action=accept chain=output
add action=accept chain=forward comment="ALLOW VOIP NETWORK" dst-address=
172.16.0.0/29
add action=accept chain=forward src-address=172.16.0.0/29
add action=accept chain=input comment="ALLOW CLIENT VPN CONNECTIONS"
src-address=10.1.0.0/24
add action=accept chain=forward src-address=10.1.0.0/24
add action=accept chain=forward dst-address=10.1.0.0/24
add action=accept chain=forward comment="ALLOW AZURE VPN CONNECTIONS"
src-address=10.0.0.0/16
add action=accept chain=forward dst-address=10.0.0.0/16
add action=accept chain=output dst-address=10.0.0.0/16
add action=accept chain=input protocol=tcp src-port=443
add action=accept chain=input src-address=10.0.0.0/16
add action=accept chain=forward comment="ALLOW INTERNAL CONNECTION"
dst-address-list=!blacklist src-address-list=local-addresslist
add action=accept chain=input dst-address-list=!blacklist src-address-list=
local-addresslist
add action=accept chain=output src-address-list=local-addresslist
add action=accept chain=icmp comment="ECHO REPLY" icmp-options=0:0 protocol=
icmp
add action=accept chain=icmp icmp-options=3:0 protocol=icmp
add action=accept chain=icmp icmp-options=3:1 protocol=icmp
add action=accept chain=icmp icmp-options=3:4 protocol=icmp
add action=accept chain=icmp icmp-options=8:0 protocol=icmp
add action=accept chain=icmp icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp
add action=drop chain=input comment="BLOCK EXTERNAL ROUTER ACCESS" dst-port=
8291 protocol=tcp src-address-list=!local-addresslist
add action=drop chain=forward comment="BLOCK INTERNAL ACCESS" dst-address=
192.168.1.0/24 dst-port=21,22,23,3389 protocol=tcp src-address-list=
!local-addresslist
add action=drop chain=forward comment="DROP INVALID CONN" connection-state=
invalid log=yes log-prefix=invalid
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=forward comment="DROP UNAUTHORIZADE INTERNET ACCESS"
in-interface="REDE INTERNA ABC" src-address-list=!local-addresslist
add action=drop chain=input comment="DROP IP BLACKLIST" log=yes log-prefix=
blacklist src-address-list=blacklist
add action=drop chain=icmp src-address-list=blacklist
add action=drop chain=forward dst-address-list=blacklist
add action=drop chain=output dst-address-list=blacklist
add action=drop chain=forward log=yes log-prefix=fwd-blacklist
src-address-list=blacklist
/ip firewall mangle
add action=mark-connection chain=forward comment="MARK SIP TRAFFIC"
dst-address-list=sip-register dst-port=5060 new-connection-mark=
"sip signalling conn" passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark="sip signalling conn"
new-packet-mark="sip packet" passthrough=yes
add action=mark-connection chain=prerouting comment="MARK VOIP TRAFFIC"
dst-port=10000-20000 new-connection-mark="rtp conn" passthrough=yes
protocol=udp
add action=mark-packet chain=prerouting connection-mark="rtp conn"
new-packet-mark="rtp packet" passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/16 src-address=
192.168.1.0/24
add action=accept chain=srcnat dst-address=10.0.0.0/16 src-address=
10.1.0.0/24
add action=accept chain=dstnat dst-address=192.168.1.0/24 src-address=
10.0.0.0/16
add action=accept chain=dstnat dst-address=10.1.0.0/24 src-address=
10.0.0.0/16
add action=masquerade chain=srcnat comment="external internet flow"
out-interface=ether1 src-address-list=local-addresslist
/ip firewall raw
add action=accept chain=prerouting comment="DROP BOGON IP ADDRESS"
dst-address=255.255.255.255 dst-port=67 in-interface-list=rede-interna
protocol=udp src-address=0.0.0.0 src-port=67
add action=drop chain=prerouting src-address-list=bad_ipv4
add action=drop chain=prerouting dst-address-list=bad_ipv4 log-prefix=raw
add action=drop chain=prerouting src-address-list=bad_src_ipv4
add action=drop chain=prerouting dst-address-list=bad_dst_ipv4
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes


This problemas begun for a yer, since then i'm tryng to solve, mas all tries did no solve the problem.