IPSEC tunnel issues - SAs need flushing from time to time

After the IPSEC tunnel is established between two sites (both Mikrotik) it works fine during testing.

Then after a day or so it stops working until we flush the Installed SAs on both sides.

On flushing SAs and pinging across once more, the VPN comes up without any issue.

I am using SNTP for both sites so clocks are good.

The following settings are the same for both sites:

IPsec policy:
Protocol: esp
Tunnel: yes

Peer:
Proposal check: obey
Send initial contact: Yes
Hash: md5
Encryption algo: 3des
DH group: modp1024
Lifetime: 1d 00:00:00
DPD interval: 120s
DPD Maximum failures

Proposal:
Auth algo: sha1
Encyption algo: 3des
Lifetime: 00:30:00
PFS group: modp1024

Any ideas why it is dropping? What can be done to stop it?

Thanks

Just to update, the link has been idle for some time and checking pings just now I get time out.

I could see that there were installed SAs both outbound and inbound, an additional duplicate set with different SPIs has now been created.

The ‘Current Bytes’ field for the new SAs is incrementing whilst I try to ping (which is failing), the old SAs count remains static.

Regardless of the above, the pings to the other routerbox still time out.

Any ideas or update on this?

One thing to try was not having ‘Send initial contact: Yes’ in both ends.

Hi i tried that but link is still unstable. Seems whenerver its idle after some time can no longer ping the other side.

Any other ideas?

Bump - hopefully someone can advise on this?

It is possible to pay Mikrotik for support for this intermittent connectivity issue?

Hi,

I can confirm that this is also an issue when running mikrotik/Cisco. I have scheduled a flush every 60min and so far it seems to work ok, not perfect but ok.

It have been like this since version 5.12 and mikrotik support ignores the existence of the error with saying that it works fine and that there must be something wrong with my config.

Thanks for the reply

What is not good is that you have the same issue as me, but I understand you run Mikrotik to Cisco, from your post I understand it was OK before 5.12 with the exact same config?

I have triple checked the configuration, it is set as per the guides on the wiki and from other sites.

My routerboards are 8 months old, how can I go about getting official word from Mikrotik on this issue?

I reported a similar bug to MT a couple of months ago. It was between Windows/MT and MT/MT
The main point of the report was that when you get a connection error for any reason (network problem, password problem, etc …) MT doesn’t fully clear the SAs. They disappear from your list but MT still tries to use them later, so the connection won’t establish because both sides try to use different keys. You can fix it by flushing the SAs because that will also clear the phantom ones.

Anyways, I don’t remember the issue fully, but MT tested and confirmed it as a bug. It was a few weeks before Ros 5.22 came out, so I don’t think it had been fixed yet.

GL

Hi,

Sorry for my bad language, it didn’t work before 5.12 either, I started using VPN from version 5.12, it have never worked flawless.

I suggest that you contact support@mikrotik.com. One would believe that VPN should work fine between two Mikrotiks as they are using the same RFC. Cisco does not follow the RFC completely - therefore there might be some compliance issues between them and Mikrotik.
But one would think that Mikrotik could have made a “Cisco”-setting or something which fixes this since Cisco have a very great advantage on the market.

If anyone can give access to both Mikrotik and Cisco and describe the way to repeat the problem then it might help to fix the problem.

The problem is that the problem is not manually repeatable. It happens randomly and I believe it could be like glucz says - there are phantom SA.

I also know that Cisco want to create a new SA everytime the SA times out, but the Mikrotik want to re-use the old once as per the RFC.

Do you have level=unique set in ipsec policy? This is required for tunnel to work properly with cisco.

hi @mrz, mine is set to level=require.

This is for native Mikrotik RB1100AH to Mikrotik RB751.

Should I also set this to unique for Mikrotik-to-Mikrotik tunnels?

I have never tried that actually - but I am running it now on one of my MT/Cisco solutions. Will turn off flushing SA tonight and see if it works until tomorrow morning.

Thanks!

I have issue with RB1100AH(5.22, unique) and Cisco ASA 5510, but I can’t give access.
As a workaround I use the script every minute:

:local IPWatchServer 10.0.1.2
:local OutInterface ether1-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with DMZ is down: Flushing Installed SA !!!"
} else={
#  :log info "IPSEC tunnel with DMZ is OK !"
}

RouterOS creates new SAs before SA lifetime expires and notifies about it remote peer. ASA simply does not respond and do not make new SAs. So without access to ASA or detailed debug logs from it is hard to tell why it is happening.

Glad the Cisco has some light shed on it - but any idea about my OP and Mikrotik to Mikrotik?

hi,

i had simmilar proplems with ipsec.

on both routers i use this script:

ping interface=internal internal.ip.of.other.site count=1

run this with scheduler every 5 minutes or somthing like. if you do so there is no idle…

works fine from 5.12-6.rc6 in a different mix of versions.

for the problem withe cisco asa i use a simmilar script like slech.

Can you explain the <3 at the end of the if command for the ping please.

Thanks

Thanks for the no idle script.

More importantly does anyone know the reason this is required?

How can i file a bug for my issue of drops between mikrotik devices using ipsec?

Regards

Chris