I just want to start off by saying my knowledge of a Mikrotik is very limited.
We have a scenario where we have a LAN to LAN VPN, Mikrotik one side, WatchGuard the other however recently it has intermittently disconnecting. The log shows the following.
phase1 negotiation failed due to time up local-end-ip[500]<=>remote-end-ip[500]
Usually it will usually reconnect, eventually, but occasionally we have to reboot the Mikrotik. We need this tunnel to be as constant and stable as possible. There are several VPNs of a similar nature going to the WatchGuard though usually Drayteks which are all stable, so I believe the problem to be somewhere on the Mikrotik. The two internet connections themselves do not lose any packets when the tunnel drops.
Firewall filter rules
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
1 XI chain=input action=accept protocol=tcp dst-port=7746 log=no
log-prefix=""
2 chain=output action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-address=redactedwanip log=no log-prefix=""
3 chain=output action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-address=redactedwanip log=no log-prefix=""
4 XI chain=input action=accept protocol=tcp dst-port=7746 log=no
log-prefix=""
5 XI chain=input action=accept protocol=tcp dst-port=7746 log=no
log-prefix=""
6 ;;; Accept established related
chain=input action=accept connection-state=established,related
log=no log-prefix=""
7 ;;; Accept Established Related
chain=forward action=accept connection-state=established,related
log=no log-prefix=""
8 ;;; Accept remote access
chain=input action=accept protocol=tcp
src-address-list=RemoteAccess in-interface=ether1
dst-port=88,8022,8443,8291 log=no log-prefix=""
9 chain=input action=accept protocol=udp src-port=500 log=no
log-prefix=""
10 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
11 chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
12 ;;; Allow Remote Server Access to 192.168.51.0/24 Network
chain=forward action=accept src-address=10.0.1.20
dst-address=192.168.51.0/24 log=no log-prefix=""
13 ;;; Allow Remote Server Access to 172.16.32.0/20 Network
chain=forward action=accept src-address=10.0.1.20
dst-address=172.16.32.0/20 log=no log-prefix=""
14 ;;; Allow Remote Server Access to 172.16.32.0/20 Network
chain=forward action=accept src-address=10.0.1.20
dst-address=192.168.37.0/24 log=no log-prefix=""
15 ;;; Drop all other input
chain=input action=drop in-interface=ether1 log=no log-prefix=""
16 ;;; Drop invalid
chain=forward action=drop connection-state=invalid log=no
log-prefix=""
17 ;;; Drop All Forwarding Un-wanted
chain=forward action=drop in-interface=ether1 log=no log-prefix=""
NAT rules
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=172.16.32.0/20
dst-address=10.0.1.20 log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.51.0/24
dst-address=10.0.1.20 log=no log-prefix=""
2 chain=srcnat action=accept src-address=192.168.37.0/24
dst-address=10.0.1.20 log=no log-prefix=""
3 ;;; Masquerade NAT
chain=srcnat action=masquerade out-interface=ether1 log=no
log-prefix=""
Any ideas are welcomed. I find it puzzling as there have been no configuration changes on either end yet this was working perfectly until 2 days ago.