We have recently purchased a Mikrotik router board
Model: CCR1016-12G
OS Version: 6.39.2 (stable)
We are facing an issue that IPsec VPN tunnel gets down between Cisco ASA and Mikrotik. When we kill Installed SA the tunnel establishes again but we need it up all the time. Checked all the timers but unable to find an issue. Could not find any mismatch. Any suggestions.
BR
Step 1: if you don’t want to upgrade the CCR for some reason, take a test device (which may be a much smaller = cheaper one, as the source code of the higher layers of the software is the same for all) with a current software version (to date, 6.40.7 is enough if you want to avoid the changes associated to new bridge configuration), copy the configuration from the CCR and see whether it works better.
If that does not help, logs on both Mikrotik and Cisco should help you diagnose what exactly goes wrong (on mikrotik, ****
/system logging add topics=ipsec
; on Cisco you have to find yourself). If there is a firewall between the two devices, it is possible that it closes the connection between them due to inactivity, and the device which attempts to install a new SA after the pause in data transport is the one on the “public” side of that firewall so the firewal doesn’t let the packets through and the connection never establishes, but it is rather a theoretical possibility.
I have quite a few MT to ASA tunnels in production, including one from my office (CCR1009 on 6.38.3) to an ASA 5515. Once the configs match up, I don’t have any stability problems with any tunnels.
On the Cisco, your debug commands are “debug crypto ipsec sa” and “debug crypto isa”.
You also will want to use “show crypto isa” and “show crypto ipsec sa peer a.b.c.d” to see current status.
What you describe vaguely sounds like a timer issue.
Will the tunnel only come up with traffic in one direction, and fail to come up for traffic in the opposite direction? If so, verify your PFS settings.
When the tunnel is down, which device are you clearing the SAs on (MT or ASA)? Does the peer device show the SAs still active? If so, with the same or different SPI?