RB1100AHx4 stops serving all l2tp ipsec until reboot (6.40.5, 6.41rc52 & 6.41rc56)

Hi

I’ve got a brand new RB1100AHx4 with 6.40.5 (also tried on 6.41rc52).

I had RB2100 previously & I exported it’s config to rsc , adjusted it to RB1100AHx4 & imported.

Everything works well except l2tp ipsec. It works for several hours & after that l2tp ipsec clients are unable to connect at all.

I tried disabling & enabling l2tp server through winbox (Winbox->PPP->Interface->L2TP Server->remove checkmark enabled/add checkmark enabled) but it doesn’t help. Only reboot of the system (Winbox->System->Reboot) helps for some time.

I switched some clients to pptp & they’re working absolutely ok.

What could be the problem? Is it a known issue & what’s the solution?

We have 2 ISPs with white IPs both working for incoming vpn connections. The office uses the first ISP for the main internet channel & the second as a backup one.

CPU, memory & etc are ok & well below even 10% of usage when l2tp ipsec server stops working.

Here’s a part of config:

/interface l2tp-server server
set allow-fast-path=no authentication=mschap2 default-profile=default \
    enabled=yes ipsec-secret=blahblahblah keepalive-timeout=30 use-ipsec=yes
/interface list member
add interface="SW-1 (ether2)" list=mactel
add interface="SW-1 (ether2)" list=mac-winbox
add interface="SW-2 (ether3)" list=mactel
add interface="SW-3 (ether4)" list=mactel
add interface="SW-2 (ether3)" list=mac-winbox
add interface="ether5-ISP2" list=mactel
add interface="SW-3 (ether4)" list=mac-winbox
add interface="AP 5 - meeting rooms (ether6-master-local)" list=mactel
add interface="ether5-ISP2" list=mac-winbox
add interface="AP 4 - meeting rooms (ether7-slave-local)" list=mactel
add interface="AP 2 - room2 (ether8-slave-local)" list=mactel
add interface="AP 5 - meeting rooms (ether6-master-local)" list=\
    mac-winbox
add interface="AP 3 - recreation room (ether9-slave-local)" list=mactel
add interface="AP 4 - meeting rooms (ether7-slave-local)" list=\
    mac-winbox
add interface="AP 1 - room1 (ether10-slave-local)" list=mactel
add interface=bridge-local-LAN list=mactel
add interface="AP 2 - room2 (ether8-slave-local)" list=\
    mac-winbox
add interface="AP 3 - recreation room (ether9-slave-local)" list=\
    mac-winbox
add interface="AP 1 - room1 (ether10-slave-local)" list=mac-winbox
add interface=bridge-local-LAN list=mac-winbox
/interface pptp-server server
set authentication=mschap2 default-profile=default enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=\
    "ether1-gateway-ISP1" network=192.168.88.0
add address=192.168.199.8/24 comment="default configuration" interface=\
    bridge-local-LAN network=192.168.199.0
add address=x.x.x.146/29 comment=\
    "Main ISP1" interface=isp1-ntel-bridge \
    network=x.x.x.144
add address=y.y.y.78/24 comment="Backup ISP2" interface=\
    isp2-beeline-bridge network=y.y.y.0
add address=192.168.1.1/24 interface=bridge-local-LAN network=192.168.1.0

Update: updated to 6.41rc56, let’s see if it helps.

When it happens generate supout file and send it to support.

I’d rather try to solve it here on the forum. Any thoughts?

UPDATE
Looks like either or an update to 6.41rc56 or an increased keepalive-timeout from default 30 to 86400 fixed the issue.

I’m going to continue monitoring as I’ve switched some users to pptp when I started having lockups on l2tp ipsec & now I plan to switch them back.