Hello, i have a problem

pyshkar · May 22, 2019, 11:41am

i have a router Mikrotik rb1100ahx4 Dude edition with several ipsecs on it. We got no OSPF, MPLS. From time to time all the trafic in ipsec stops. When i ping i see in status 28(no space left on device). It solves with reboot but for 30 min. Any ideas?

sindy · May 22, 2019, 6:36pm

What RouterOS version do you run?

pyshkar · May 23, 2019, 6:31pm

its 6.44.3

pyshkar · May 23, 2019, 6:46pm

if i flush all sa it cimes up again and says everytthing is estableshed but no trraffic goes through ipsec

sindy · May 23, 2019, 8:15pm

What’s at the remote ends of the IPsec connections? Other Mikrotiks or other IPsec implementations, and if the latter, are they the same on all the remote ends or different? “No space left on device” sounds really suspicious to me.

After the reboot, when the lifetime of the first SAs expires after those 30 minutes, what does /ip ipsec statistics print show? Also, post the export of your config, anonymized as per the hint in my automatic signature.

pyshkar · May 24, 2019, 10:15am

model = RB1100Dx4

serial number = 91D309DAFFB7

/interface bridge
add name=LANBRIDGE
/interface ethernet
set [ find default-name=ether2 ] comment=eth2 name=Derb-tun
set [ find default-name=ether4 ] comment=Lan-master name=LAN
set [ find default-name=ether1 ] comment=eth1 name=WAN1
set [ find default-name=ether3 ] comment=eth3 name=WAN2
/interface list
add name=WAN
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des
add dh-group=modp2048,modp1024,modp768 enc-algorithm=des hash-algorithm=md5
name=profile1
add enc-algorithm=aes-128,3des,des hash-algorithm=md5 name=profile2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=0s pfs-group=none
add auth-algorithms=md5,null enc-algorithms=des,null lifetime=0s name=
proposal1 pfs-group=none
add auth-algorithms=sha1,md5,null enc-algorithms=3des,des,null lifetime=0s
name=proposal2 pfs-group=none
/snmp community
set [ find default=yes ] addresses=192.168.0.0/16,188.64.168.10/32 name=
souzspecsnmp
/system logging action
set 0 remember=no target=echo
set 1 disk-lines-per-file=1 disk-stop-on-full=yes
set 2 remember=no
set 3 remote=192.168.49.42 src-address=192.168.49.42
/interface bridge port
add interface=Derb-tun
add bridge=LANBRIDGE interface=LAN
add bridge=LANBRIDGE interface=ether5
add bridge=LANBRIDGE interface=ether6
add bridge=LANBRIDGE interface=ether7
add bridge=LANBRIDGE interface=ether8
add bridge=LANBRIDGE interface=ether9
add bridge=LANBRIDGE interface=ether10
add interface=ether11
add interface=ether12
add interface=ether13
/interface list member
add disabled=yes interface=WAN1 list=WAN
add disabled=yes
/ip address
add address= interface=WAN1 network=
add address= interface=Derb-tun network=
add address= interface=LAN network=
add address= interface=WAN2 network=
/ip dhcp-client
add dhcp-options=hostname,clientid interface=WAN1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=87.237.43.132 list=cosultant_update
add address=109.95.210.185 list=cosultant_update
add address=78.108.192.68 list=cosultant_update
add address=109.74.143.135 list=cosultant_update
add address=77.108.80.111 list=cosultant_update
add address=212.248.27.179 list=cosultant_update
add address=87.237.43.143 list=cosultant_update
add address=85.17.25.215 list=cosultant_update
add address=13.82.101.179 list=cosultant_update
add address=109.238.243.172 list=cosultant_update
add address=192.168.48.0/21 list=remotenet
add address=192.168.1.0/24 list=remotenet
/ip firewall filter
add action=accept chain=input src-address=...
add action=accept chain=input comment="wan access winbox" dst-port=8291
protocol=tcp src-address=...
add action=accept chain=input src-address=...
add action=accept chain=forward comment="accept snat" protocol=tcp
src-address=192.168.1.0/24
add action=accept chain=output src-address=192.168.1.0/24
add action=accept chain=output disabled=yes dst-address=192.168.0.0/24
src-address=192.168.1.0/24
add action=accept chain=output disabled=yes dst-address=192.168.48.0/21
src-address=192.168.1.0/24
add action=accept chain=output disabled=yes dst-address=192.168.10.0/24
src-address=192.168.1.0/24
add action=accept chain=input comment="accept related" connection-state=
established,related
add action=accept chain=input comment="ipsec input allow" dst-address=
192.168.1.0/24 src-address=192.168.48.0/21
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.0.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.10.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.152.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.22.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.28.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.14.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.11.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.15.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.23.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.66.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.3.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.28.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.111.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.19.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.7.0/24
add action=accept chain=output src-address=192.168.88.1
add action=accept chain=input src-address=46.38.61.194
add action=accept chain=input dst-address=192.168.1.0/24 src-address=
192.168.102.0/24
add chain=forward comment="forward related" connection-state=
established,related
add action=accept chain=input comment="wan ping allow" protocol=icmp
src-address=...
add action=accept chain=input src-address=...
add action=accept chain=forward in-interface=LANBRIDGE protocol=tcp
add action=accept chain=output
add action=accept chain=input src-address=5.101.60.142
add action=drop chain=input disabled=yes
/ip firewall mangle
add action=accept chain=prerouting disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=postrouting disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.66.0/24
add action=accept chain=srcnat dst-address=192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.22.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.48.0/21
add action=accept chain=srcnat dst-address=192.168.7.0/24
add action=accept chain=srcnat dst-address=192.168.28.0/24
add action=accept chain=srcnat dst-address=192.168.152.0/24
add action=accept chain=srcnat dst-address=192.168.14.0/24
add action=accept chain=srcnat dst-address=192.168.15.0/24
add action=masquerade chain=srcnat comment=cod-dc0 out-interface=WAN1
src-address=192.168.1.100
add action=dst-nat chain=dstnat comment=smtp2 dst-address=...
dst-port=25 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.133
to-ports=25
add action=masquerade chain=srcnat comment=smtp2 out-interface=WAN1
src-address=192.168.1.133
add action=masquerade chain=srcnat comment=cod-wsus1 out-interface=WAN1
src-address=192.168.1.136
add action=dst-nat chain=dstnat comment=smtp1 dst-address=...
dst-port=25 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.132
to-ports=25
add action=masquerade chain=srcnat comment=smtp1 out-interface=WAN1
src-address=192.168.1.132
add action=masquerade chain=srcnat comment=konsultant dst-address-list=
cosultant_update out-interface=WAN1 src-address=192.168.1.25
add action=masquerade chain=srcnat comment=kemp out-interface=WAN1
src-address=192.168.1.138
add action=dst-nat chain=dstnat comment="kemp in" dst-address=...
dst-port=443 in-interface=WAN2 log=yes protocol=tcp to-addresses=
192.168.1.140 to-ports=443
add action=dst-nat chain=dstnat comment="kemp in2" dst-address=...
dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.140
to-ports=443
add action=masquerade chain=srcnat out-interface=WAN1 src-address=192.168.1.9
add action=dst-nat chain=dstnat dst-address=... dst-port=1194
in-interface=WAN2 protocol=udp to-addresses=192.168.1.145 to-ports=1194
add action=masquerade chain=srcnat out-interface=WAN1 src-address=
192.168.1.145
add action=masquerade chain=srcnat out-interface=WAN1 src-address=
192.168.1.11
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip ipsec peer
add address=... comment=derb-tunnel profile=profile1
add address=... comment=cod-tel profile=profile1
add address=... comment=lub-sklad profile=profile1
add address=... comment=rz_Beeline profile=profile1
add address=... comment="haltura rinet" profile=profile1
send-initial-contact=no
add address=... comment="podolsk kvarts" profile=profile1
add address=... comment=PD2 profile=profile1
add address=... comment=SRP_TT disabled=yes profile=profile1
add address=... comment=SRP_RINET profile=profile2
add address=... comment=YR_AKADO profile=profile1
add address=... comment=ENT_RINET profile=profile1
add address=... comment=LBR_NBN profile=profile1
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.152.0/24 src-address=192.168.1.0/24
add dst-address=192.168.48.0/21 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.0.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.10.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.14.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.11.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.15.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=... level=unique proposal=proposal1
sa-dst-address=86.62.118.186 sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.66.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.28.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.111.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.19.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add comment="shveka wait" dst-address=192.168.102.0/24 level=unique proposal=
proposal1 sa-dst-address=... sa-src-address=...
src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.7.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add dst-address=192.168.22.0/24 level=unique proposal=proposal2
sa-dst-address=... sa-src-address=... src-address=
192.168.1.0/24 tunnel=yes
add disabled=yes dst-address=192.168.48.0/21 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.152.0/24 tunnel=yes
add disabled=yes dst-address=192.168.152.0/24 level=unique proposal=proposal1
sa-dst-address=... sa-src-address=... src-address=
192.168.48.0/21 tunnel=yes
/ip proxy
set max-cache-object-size=1KiB max-cache-size=none
/ip route
add check-gateway=ping distance=9 gateway=...%WAN1 scope=28
target-scope=14
add distance=10 gateway=..*.*WAN2 target-scope=15
add distance=1 dst-address=192.168.1.0/24 gateway=WAN2
add check-gateway=ping disabled=yes distance=1 dst-address=192.168.1.0/24
gateway=WAN1

remote devices are dlink dfl 860e mostly they all say that both ike and sa are established but no traffic goes through. If you flush it establishes again but still no traffic until reboot.

sindy · May 24, 2019, 11:54am

First of all I don’t like your firewall rules as in chain=input you have disabled the final “drop the rest” rule so currently anyone can connect to all the management interfaces listening on WAN - http, telnet, winbox, ssh…

Next, I suspect the renewal of the SAs to fail between the Mikrotik and the D-links. In the past Mikrotik had a problem that sometimes the key renegotiation ended up with different encryption and authentication keys on each side so the packets were being sent but the recipient was dropping them; that’s why I’ve asked you to post the output of /ip ipsec statistics print. Ideally, print it during the first 20 minutes while it still works, and then again when the first re-negotiation takes place and the data stop flowing through the SAs.

Also /ip ipsec installed-sa print where src-address~“ip.of.one.peer” or src-address~“ip.of.one.peer” should show you packet and byte counts in both directions while it works, but only in the 1100->Dlink direction while it doesn’t.