I am facing IPSEC tunnel connections that some times showup as UNREPLIED in the connection list and sit there unreplied until the connection is manually deleted. I tried several tracking settings hoping that Unreplied connections would just timeout, but I failed.
The timeout counter ( as seen on winbox ) decrements from 59 seconds down to 48-49 and is reset again to 59 again, keeping the connection live for ever, thus preventing a viable re-connection on the VPN tunnel to occur.
I think they are related. To solve the problem I have already covered one step with a 1 line script that flushes the SAs if the remote network doesn’t respond. But it wasn’t enough, as I have noticed that from time to time the IPSEC connection is Unanswered from some reason, until it is deleted, it sits there forever preventing a good connection to occur. I tought may be ajusting the timeouts would purge connection that have a U status after say 10 seconds.
I fought with ipsec for months and finally gave up on it. I don’t know if its a bug in RouterOS or just the way it works … too shifty for me : ) Always having to reboot / flush / disable-enable…
I am running lots of IPsec tunnels between RouterOS machines now for a loooong time, and rarely every have a problem with them. I think I only once needed to “do the flush” on a single tunnel.
The only other thing that got me some weeks ago was upgrading from 2.7.x to 2.9.34 - the IPsec config got so crewed up only a “system reset” would help…
With tunnels that you have problems, you can configure in MANUAL not in IKE mode, with manual you can avoid some dropping since the phase 1 will not negotiate but it is statically configured. I used to have a problem with some Multitech VPN Routers RF550 in IKE mode, but with MANUAL the problem was not occurring, so I hope this can help you.
Thank you guys for the feed-back. Although I am in the same mood as Sam, since I am facing the same trouble for 3 months, I want to give a last chance to IPSEC, at least on MT.
Fatonk, I am not sure where I can change the setting from IKE to manual. I’ve been searching (in winbox ) all the menus, without any clues on where to change from IKE to manual. Do you mean manual SAs ?
I tried manual SAs for one night and found the infamous Unreplied connection in the connection list display the next day. Deleting it manually led to a correct reconnection. Thus my thread title:
Is there a way to time-out UNREPLIED connections ? I tried all kind of settings in the tracking setting but did not find my way. Deleting Unreplied connections after a time-out could help in other occasion and also would maintain a cleaner system.
sorry that didn’t work, post your IPsec configuration, and maybe will find something there, I have lot of IKE IPsec between Mikrotik and also between Mikrotik and Cisco and have no problem like yours.
I haven’t had neither a disconnection of the tunnel nor a Unreplied one since 3 days, still on manual mode. May the problem be fixed ? I’ll let you know.
Just to let you know where my experiments lead me:
The IPSEC tunnels seem to be stable or at least to reconnect themselves since the Generic TimeOut sas set to 10 secondes instead of the default value ( 10 minutes ?) in the connection tracking. This setting seems to delete Unreplied connections after 10 seconds and thus allow new ones to occur.
I am not sure that this is the optimal solution , but it works.
Sorry for the thread revival. Today I had to reboot my core router (bad UPS, moved to another one). Once the router came back up I was having trouble with customers that use IPSEC. Everything else was perfect.
I had 4 separate customers who had tunnels that would not connect, pulled my hair out all day. After digging everywhere I found unreplied connections in tracker and terminated them and the tunnels all came back up. Anyone know what happened?
I don’t have anything to do with the tunnels, they just traverse over my network (tunnels start on LAN side of cust CPE and traverse out to the internet).
I am running 5.11 on the core router in question (RB1100x2)
No one has had this happen? I now have a fear that if for some reason my core router needs to be rebooted, I have to torch all ipsec connections that customers have to verify they all came back up. If they haven’t, off to connection tracking to try to manually kill the “U” Unreplied connections
on a single tunnel.