PH2 State script

spr41178 · March 20, 2021, 12:11pm

Good morning,

I would like a script that checks the PH2 state of a specific policy and if it finds it at no phase2 it will disable and re-enable it.

I am having an issue where one of my policies if for any reason gets interrupted it goes to no phase2 and the only way it comes back online is to disable and re-enable it so
until i figure out why, a script to do this for me would be handy.

I have no experience in scripting whatsoever.

Thanks in advance.

accarda · March 20, 2021, 4:25pm

Hi,
you can try this code.
I use the main part of this code just to inform me when PH2 is down, but in this case I modify it to disable, wait 10 sec and re-enable the policy.
Give it a try.

:foreach i in=[/ip ipsec policy find where action!=discard] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}

spr41178 · March 20, 2021, 6:20pm

Hi,
you can try this code.
I use the main part of this code just to inform me when PH2 is down, but in this case I modify it to disable, wait 10 sec and re-enable the policy.
Give it a try.
:foreach i in=[/ip ipsec policy find where action!=discard] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$1
		}
	}
}

Thank you for your answer

I am getting invalid value for argument numbers when i load it via terminal to test it.
It disables a standby policy that i have which i don’t want it disabled and keeps it disabled.

Is there a way to point to a specific policy that i want checked other than all of them by comment name let’s say?

accarda · March 20, 2021, 6:46pm

OK,
so then use this modified version:

:foreach i in=[/ip ipsec policy find comment="put_your_comment"] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}

Add your comment within those “” and you will be good. Just choose a simple comment, just one word.
let me know if this one works better for you.
Anyway put this code into a script (create /system script) for it to work.

P.S: the previous code failed to re-enable because I made a typo in the variable $i, which became $1 (that does not exist of course), hence the improper value. Now in this snippet you wil get the proper variable name, so it will disable and re-enable the policy after all.

SiB · March 20, 2021, 7:21pm

One problem… sometimes we see for few seconds not established state.. what is normal and this script can be too brazen/aggressive.
Some latency and again testing will be perfect.
Additional note, some Policies can be together at one peer and that script can do few additional action.

This topic is interesting because I see similar problems with some IPSec tunnels.
Sometimes we must re-enable policies, proposals, remove active peers and sometimes disable PH1&2 IPSec for 5m and then enable it. Those 4 type of actions works on differ problems.

My last problem with IPSec is here: IPSec PH2 “ready to send” without Active Peer, User cannot connect, Win10 #809 or #0

accarda · March 21, 2021, 7:04am

Hi SiB,
yes also with the script that I’m using on my router (which is mainly sending telegram msg to inform about some issue with PH2) gets triggered even though IPSec tunnel is active and working.
Of course in term of scripting it all depends how often you run it, chances that you catch one of those glitches could be high for a high frequency detection mode.
I have a stable VPN tunnel with another site, and with a previous ADSL link at the main side I was getting once per day PH2 failure. Now after such connection moved to fiber, I don’t see many of these alarm, but sometime it still happens. I run the script every 5 sec, so chances that I intercept one of these glitches are there , but I just limit the telegram msg to a certain amount a day, just in case that if IPSec goes down for an extended period of time I won’t get flooded with telegrams.
Armando

spr41178 · March 21, 2021, 9:45am

OK,
so then use this modified version:
:foreach i in=[/ip ipsec policy find comment="put_your_comment"] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}
Add your comment within those “” and you will be good. Just choose a simple comment, just one word.
let me know if this one works better for you.
Anyway put this code into a script (create /system script) for it to work.

P.S: the previous code failed to re-enable because I made a typo in the variable $i, which became $1 (that does not exist of course), hence the improper value. Now in this snippet you wil get the proper variable name, so it will disable and re-enable the policy after all.

Works a treat my friend.

Thank you very much…

I will also save your first version with the corrected $1 as it checks all the policies it might also come in handy someday.

Thanks again

accarda · March 21, 2021, 10:16am

Good to hear this.
Actually I have fixed the typo in the original snippet, so you can copy/paste also from here to get the whole working code.
In my original code the foreach, which gets the policy except those with action “discard”, is because I have a policy to avoid L2TP staying up when no IPSec. But it should not interfere with your case if you don’t have such thing.
Also the first IF avoids to take the default template policy with that *FFFFFF filter.

Armando

SiB · March 24, 2021, 12:44pm

It can be easier write:

foreach i in=[/ip ipsec policy find !template ph2-state!=established comment="put_your_comment"] do={
  ip ipsec policy disable number=$i
  delay 10
  ip ipsec policy enable number=$i
}

Sometimes without traffic tunnel can be not used and have state expired and any traffic will recover established. The expired is not bad for duing breake connections.
Real problems with tunnel is where:

ip ipsec  policy print where ph2-state!=expired ph2-state!=established !template !active

Most cases the best parameters are: !active !template