I got sometimes my ipsec tunnel status expired or established but i cant ping from one subnet to another. Dont sure what causes it. When I disable/enable a couple of time, it works. Can I use maybe
/ip ipsec installed-sa flush
?
That command should work fine.
I had a similar issue with Mikrotik to Cisco. Cisco would send a command to drop the connection but the Mikrotik wouldn’t, so my SA’s were still there. I couldn’t ping either because the connection is dead but the Mikrotik thought it was still active.
I had created a script that ran frequently, it would ping the lan of the remote side and if the ping failed, the script would flush the SA’s, wait 10 seconds, then ping the remote side again to get the Mikrotik to re-establish the tunnel. I think by default the Mikrotik doesn’t establish the tunnel until a packet matches the IPSec policy. So after the SAs are flushed, the first ping thereafter would fail as it took a couple seconds to establish the tunnel.