mikrotik - cisco => IPsec-SA expired :

Dear Sirs.

I have a IPsec VPN tunnel between a Mikrotik and Cisco. The VPN works fine but once a day I have to reboot it because it stop working. There is an issue posted by a colleague named “ipsec disconnects dometimes” where he describes exactly what is happeneing to me. The solution posted to that is to enable DPD which I have already activated. Basically what happens shows this at the log :


08:54:09 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
08:54:09 ipsec IPsec-SA expired: ESP/Tunnel 11.11.11.11[0]->22.22.22.22[0] spi=131319079(0x7d3c527)
08:54:12 ipsec initiate new phase 2 negotiation: 22.22.22.22[500]<=>11.11.11.11[500]
08:54:42 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
08:54:42 ipsec IPsec-SA expired: ESP/Tunnel 11.11.11.11[0]->22.22.22.22[0] spi=143755602(0x8918952)
08:54:43 ipsec initiate new phase 2 negotiation: 22.22.22.22[500]<=>11.11.11.11[500]
08:55:13 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
etc… (11.11.11.11 is cisco, 22.22.22.22 is RB)


Please advise.

Thanks in advance!

Look at SAs lifetime and try to make a script, which will flush the installed SAs. Something like this:

/ip ipsec installed-sa flush

Thanks borodamd !

I will check this.

Regards.

I have the same problem.
Vazquez, do you have any progress in solving this issue?

I’ll be very appreciate if you share any solutione

Hi Jani,

yes, I have applied the flush every 6 hours plus a system reboot at 5 am every day. I didn´t have any more problems since last 10 days.

Thanks and regards!

Thanks for your advice. But in my situation ipsec can be established 8-12 hours and works fine, and in another day it can hang up every 20min.
I’ll try to fix it by writing script.