Hi,
I am having problems with slow speed on an IPsec connection to AWS. If I turn on packet sniffer the problem goes away.
The fix seems to be to turn off fasttrack but I have no fasttrack rules in my filter rules so I don’t know how to turn it off.
I there an other way to turn off fasttrack or could this be cause by something else?
Thanks
This would have been the perfect opportunity to share your config.. 
/export hide-sensitive
You may also disable fast path in ip settings or bridge settings, but without config we can only guess.
Hi
I have quite a big setup but I figured out a minimal config where I see the problem.
/interface ethernet
set [ find default-name=ether2 ] mac-address=D4:CA:6D:8E:XX:XX
/interface vrrp
add interface=ether5 name=GC-net-vrrp on-backup=GC-net-vrrp-on-backup
on-master=GC-net-vrrp-on-master priority=210 vrid=2
/interface bonding
add mode=active-backup name=bonding1 slaves=ether1,ether2
/interface vlan
add interface=bonding1 name=DB-vlan vlan-id=22
add interface=bonding1 name=Internet-vlan vlan-id=16
add interface=bonding1 name=Management-vlan vlan-id=1
/interface vrrp
add interface=DB-vlan name=DB-vrrp priority=210 vrid=22
add interface=Internet-vlan name=Internet-vrrp on-backup=
internet-vrrp-on-backup on-master=internet-vrrp-on-master priority=210
vrid=16
add interface=Management-vlan name=Management-vrrp priority=210
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=
aes-128 lifetime=8h name=ipsec-vpn-fc14f695
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-fc14f695
/ip address
add address=172.32.253.6/30 interface=ether5 network=172.32.253.4
add address=172.32.100.3/24 interface=Management-vlan network=172.32.100.0
add address=172.32.100.1 interface=Management-vrrp network=172.32.100.1
add address=172.32.103.3/24 interface=DB-vlan network=172.32.103.0
add address=172.32.103.1/24 interface=DB-vrrp network=172.32.103.0
add address=172.32.253.34/30 interface=Internet-vlan network=172.32.253.32
add address=XX.XX.31.4/25 comment=“Internet natting” interface=Internet-vrrp
network=XX.XX.31.0
add address=YY.YY.82.170/30 interface=Internet-vrrp network=YY.YY.82.168
add address=169.254.43.254/30 interface=bonding1 network=169.254.43.252
add address=169.254.43.2/30 interface=bonding1 network=169.254.43.0
add address=172.32.253.1/30 interface=GC-net-vrrp network=172.32.253.0
/ip firewall address-list
add address=172.19.254.0/24 list=Firewall-Admin
add address=172.32.100.0/24 list=Firewall-Admin
add address=172.32.102.0/24 list=Firewall-Admin
add address=172.32.103.0/24 list=Firewall-Admin
/ip firewall filter
add action=accept chain=input comment=“Input established or related”
connection-state=established,related
add action=accept chain=input protocol=vrrp
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=
Firewall-Admin
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=
Firewall-Admin
add action=accept chain=input src-address=80.71.120.192
add action=drop chain=input comment=“Input chain drop rule”
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward protocol=icmp
add action=accept chain=forward dst-address=172.32.1.72 src-address=
172.32.103.6
add action=accept chain=forward dst-address=172.32.103.6 src-address=
172.32.1.72
add action=accept chain=forward dst-address=172.32.0.0/19
add action=accept chain=forward dst-port=22 protocol=tcp src-address=
172.19.254.0/24
add action=drop chain=forward
/ip firewall nat
add action=accept chain=srcnat dst-address=172.32.0.0/18 src-address=0.0.0.0
add action=accept chain=srcnat comment=ipsec-vpn-fc14f695-0 dst-address=
169.254.43.253 src-address=169.254.43.254
add action=accept chain=srcnat dst-address=169.254.43.1 src-address=
169.254.43.2
/ip ipsec peer
add address=18.184.127.26/32 comment=ipsec-vpn-fc14f695-0 local-address=
XX.XX.31.4
add address=52.28.194.109/32 local-address=XX.XX.31.4 profile=
ipsec-vpn-fc14f695
/ip ipsec policy
add comment=ipsec-vpn-fc14f695-0 dst-address=172.32.0.0/22 proposal=
ipsec-vpn-fc14f695 sa-dst-address=18.184.127.26 sa-src-address=XX.XX.31.4
src-address=0.0.0.0/0 tunnel=yes
add comment=ipsec-vpn-fc14f695-0 dst-address=169.254.43.253/32 proposal=
ipsec-vpn-fc14f695 sa-dst-address=18.184.127.26 sa-src-address=XX.XX.31.4
src-address=169.254.43.254/32 tunnel=yes
add comment=ipsec-vpn-fc14f695-1 dst-address=172.32.0.0/22 proposal=
ipsec-vpn-fc14f695 sa-dst-address=52.28.194.109 sa-src-address=XX.XX.31.4
src-address=0.0.0.0/0 tunnel=yes
add comment=ipsec-vpn-fc14f695-1 dst-address=169.254.43.1/32 proposal=
ipsec-vpn-fc14f695 sa-dst-address=52.28.194.109 sa-src-address=XX.XX.31.4
src-address=169.254.43.2/32 tunnel=yes
/ip route
add distance=1 gateway=YY.YY.82.169
add distance=1 dst-address=172.19.0.0/16 gateway=172.32.253.2
add distance=1 dst-address=172.32.0.0/22 gateway=169.254.43.253
add distance=1 dst-address=172.32.0.0/22 gateway=169.254.43.1
/system identity
set name=Hero2
/system routerboard settings
set silent-boot=no
/system script
add dont-require-permissions=no name=“set as backup” owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
“/interface vrrp set [/interface vrrp find] priority=100”
add dont-require-permissions=no name=“set as primary” owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
“/interface vrrp set [/interface vrrp find] priority=210”
add dont-require-permissions=no name=internet-vrrp-on-master owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=
“/ip route set gateway=YY.YY.82.169 [find dst-address=0.0.0.0/0]”
add dont-require-permissions=no name=internet-vrrp-on-backup owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=“/ip route set gateway=172.32.100.1 [find dst-address=0.0.0.0/0]”
add dont-require-permissions=no name=GC-net-vrrp-on-master owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=
“/ip route set gateway=172.32.253.2 [find dst-address=172.19.0.0/16]”
add dont-require-permissions=no name=GC-net-vrrp-on-backup owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=
“/ip route set gateway=172.32.100.1 [find dst-address=172.19.0.0/16]”
/tool sniffer
set filter-ip-address=172.32.253.33/32