this is my first post, and I’m still learning RouterOS.
I have one MT CCR1009 deployed at central office and two rb2011uias-2hnd-in deployed at branch offices.
Internet access at branch offices is provided by two different ISPs (cable and ADSL access modems), and at central office ISP has provided static IP internet access.
CCR1009 is configured as L2TP/IPSec server, and rb2011uias are configured as L2tp clients behind NAT (ISPs modems have DHCP on WAN interface enabled).
Initially, L2tp clients do connects to central location, VPNs is working fine (MS AD, folder sharing,etc is working fine).
After, 24-25min, L2tp client (behind ADSL modem) drops vpn session and reestablish it again.
As always, guy at ISP claims that they do not have any problems, so I have tried to replace rb2011 with rb951, but same problem occurs.
Same time, connection from other location is rock steady, no drops, no problems of any kind.
I have also tried to configure another rb2011 (with same config as problematic router), connected it in different city, and it went ok.
Please, does anyone have any smart idea what could be problem with this config or setup?
It could be an issue with the NAT handling in the ISP modem.
I have sometimes seen that ISP modems really do not like a high flow of UDP packets, and that is what IPsec over NAT is.
Sometimes the flow is throttled (which can result in loss of connection), sometimes it just fails after a while.
Maybe the modem has a max session time and deletes the NAT entry after that?
You can try an IPIP or GRE tunnel over IPsec transport (create interface and set an IPsec key), which uses plain ESP over NAT, not NAT-T (UDP).
However, when the modem is buggy it probably does not support that.
I’ll have brainstorming session with guys from ISP tomorrow morning, currently all I know is that they do not have any problem
Everything was OK in test environment , so I thought (hoped) that same will be in reality but …
I don’t know if an ISP would acknowledge a problem with their customer routers as an ISP problem.
Maybe a good ISP will, but it is questionable whether you reach the people able to comment on that by calling a servicedesk number.
I have had very nasty IPsec-over-NAT problems (that also occurred with OpenVPN-over-UDP) with a couple of different routers,
and I am not sure the ISP always knows about that or wants to acknowledge it.
It took some time, but now everything is working as it should, no vpn drops every 24min.
ZTE h108L - ADSL modem/router was cause of problem, once it was replaced, L2tp VPN
started working normally.
Guys from ISP were slow, but accepted complaint and replaced modem/router.
I presume it was replaced by another type of router, or maybe the same type but with different firmware?
I have a hard time believing that this would be a hardware defect (like a defective component), it is more likely it is a software issue.
