Does anyone have problems with IPsec stability after upgrade to Routeros 7.11? I upgraded my production router CCR2004-16G-2S+ this Tuesday and I had multiple issues with the IPsec tunnels between different peers. Before the update to RouterOS 7.11 the same tunnels were working fine for the last year.
Since this are production tunnels I can’t really perform any long analysis when the problem occurs since I need to recover the tunnel as soon as possible. (I remove the connection in the Active Peers and then tunnel reestablishes and everithing works fine for ~24h.)
When the problem happens in the Active peers I have multiple lines for the problematic peer with some of them in the ‘expired’ and one in ‘established’ state. I see packages increased in Tx and Rx count but the connectivity now working.
It looks like only the IPsec tunnels with ‘main’ exchange mode are affected, other with IKE2 are not affected.
When the problem occurs there are no lines in the log that would indicate any issues with IPsec.
Did anyone else experience any such issues after upgrade? I will downgrade to 7.10.2 today or tomorrow to see if this resolves the issue.
I also noticed that I have a spike in CPU usage every 10 seconds. When I run profiler I see that the cause is “ipsec” that take 100% of one CPU for one or two seconds and then CPU usage drops back to normal. You can see the situation in the attached image.
Is this normal? I have 24 IP sec tunnels established (4 with ‘main’ and 20 with IKE2).
If it is not normal, how can I debug this? I don’t see anything relevant in the logs.
