IPSec Flushing SA

ufukguler · July 17, 2010, 3:23am

Hi All,

Maybe this issue had been discussed before. Can’t find any related topic about it. Is there any possibility to flush individual installed SA instead of flush all of them. During troubleshooting many times i need to flush individual SA with manually. Thanks a lot.

Ufuk Guler

mrz · July 19, 2010, 6:33am

Unfortunately it is not possible. You can flush only all SAs

leonset · July 19, 2010, 11:23am

Enabling Dead Peer Detection (DPD) really helped me when testing IPSec with Mikrotik. Restarting the remote router will flush just the SA of that peer.

Regards,

ufukguler · July 20, 2010, 1:11pm

Hi,

Thank you all for your replies. Flushing all SA will effect other working vpn connections on the device. On the other hand all other vpn peers will be forced to start to policy negotiation from the beginning then device cpu usage will increase momentarily. DPD is a good solution but rebooting far end router only for this purpose will effect customer services which are not related to VPN. I hope, newer RouterOS release will have this valuable feature.

Ufuk Guler

mrz · July 21, 2010, 6:21am

DPD is a good solution but rebooting far end router only for this purpose will effect customer services

Why do you need to reboot the router when DPD is enabled?

ufukguler · July 21, 2010, 7:24am

Hi,

Thanks for clarification. You are right. We don’t need reboot far end device. I wrote it as a reply for “Enabling Dead Peer Detection (DPD) really helped me when testing IPSec with Mikrotik. Restarting the remote router will flush just the SA of that peer.”. I have misstated my opinion. Thank you.

Ufuk Guler

leonset · July 22, 2010, 8:58am

Enabling DPD and rebooting the remote router is the only way I know to flush an specify SA in RouterOS… Is any other way to do it?

Thanks!

BartoszP · August 1, 2014, 4:28pm

Hi,

Tools/Netwatch and on both sides of tunnel:

Set ping to the IP of other VPN tunnel end for 10 sec. or any other value which suits your needs.
in down script put: /ip ipsec installed-sa flush

It helps a lot

Remeber that “.. If you previously tried to establish tunnel before NAT bypass rule was added, you have to clear connection table from existing connection or restart the routers …” (from Wiki) so I manually kill peers after changing firewall rules to clear connections to make new rules working.

leonset · August 6, 2014, 9:28am

Thanks for the info, but this is an ancient post!

At that moment, I wasn’t aware of those tricks… nowadays I use them and sometimes also use some scripts and the scheduler (i.e. when the VPN has to be up for some hours a day).

HB1 · March 9, 2017, 3:35pm

Hi,

"Hi,

Tools/Netwatch and on both sides of tunnel:

Set ping to the IP of other VPN tunnel end for 10 sec. or any other value which suits your needs.
in down script put: /ip ipsec installed-sa flush"

it seems to work thank you BartoszP

I tried a script which ping ip

:if ([/ping 192.168.15.254 count=4]<3) do={
/ip ipsec installed-sa flush;
:log info “IPSEC tunnel is down: Flushing Installed SA !!!”
} else={
:log info “IPSEC tunnel is OK !”
}

but it only works from terminal, while I try to running via scheduler it doesn’t work somehow