PPTP client does not go down when idle

vas · April 30, 2021, 3:06am

Dear Colleagues,

I have a PPTP client configured with dial-on-demand and idle timeout (see below). Dial-on-demand works, but for some reason the pptp-client interface does not go down when there is no traffic to the hq. I expect it to go down after 10 minutes of inactivity. What am I missing?

I can bring the interface down manually (disable/enable), and it will stay down until there is some traffic destined to the hq. But i won’t go down by itself when there is no traffic.

/interface pptp-client print 
Flags: X - disabled, R - running 
 0  R name="hq" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=x.x.x.x user="xxxxxxxx" password="yyyyyyyy" 
      profile=default-encryption keepalive-timeout=60 use-peer-dns=no add-default-route=no dial-on-demand=yes 
      allow=pap,chap,mschap1,mschap2 

/ppp profile print 
Flags: * - default 
 1 * name="default-encryption" bridge-learning=default idle-timeout=10m use-ipv6=yes use-mpls=default use-compression=default 
     use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

nostromog · April 30, 2021, 4:04pm

I have seen it failing due to either /ip/cloud or /interface/detect-internet being active and polling the connection.

One way to find out what is keeping the connection up ise to use

/tool/sniffer/quick interface=<myvpn>

for a while to understand what is keeping it alive.

rextended · April 30, 2021, 8:09pm

NTP?

vas · May 1, 2021, 6:34pm

Thanks for the very useful advice about the packet sniffer. I’ve directed a TZSP stream of traffic to Wireshark and found out that it’s OSPF hello packets from the remote side of the PPTP connection keeping the link up.

vas · May 1, 2021, 6:38pm

OSPF hellos from the hq.

I wonder if I filter them out with the firewall, will they stop keeping the link up?

UPD. Hmm, this filter rule below should be already dropping them. correct? Is there anything else I can do (other than to persuade the hq admin to disable OSPF on the PPTP server interface)?

[admin@MikroTik] > /ip firewall filter print chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 2    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 3    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
[admin@MikroTik] >

nostromog · May 5, 2021, 2:05pm

I don’t think you can do much about what the other side sends. If you know the kind of legitimate traffic you are expecting, you could try a script that would run periodically and kills the connection if it can’t find “good” traffic… and expect that the other processes will start again as needed. But all a bit clumsy.