UDP traffic not flow Fortinet HUB and Mikrotik spoke

Hi, we are trying to configure a Mikrotik as spoke with Fortinet firewall as HUB (dialup tunnel), the connection is stablished and working for TCP traffic but for UDP not working. Mikrotik shows the UDP packets comming from other side (Fortinet VLAN) but when traffic arrives to Mikrotik it not returned.

Capture packet, source 192.168.110.30 (Fortinet side) it arrive to Mikrotik using IPSEC tunnel but not returned.

ether1 is WAN port

ether4 is the port where is connected the UDP device

Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU

INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU

ether1 4.189 1 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

bridge 4.189 2 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether4 4.189 3 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether1 4.192 4 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

bridge 4.192 5 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether4 4.192 6 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether1 4.193 7 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

bridge 4.193 8 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

ether4 4.194 9 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

ether1 7.71 10 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

bridge 7.71 11 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether4 7.71 12 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether1 7.715 13 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

bridge 7.715 14 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether4 7.715 15 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:30718 ip:udp 46 1

ether1 7.719 16 <- F8:B1:32:4C:AF:A0 48:A9:8A:CF:1B:DE 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

bridge 7.719 17 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

ether4 7.719 18 -> 48:A9:8A:CF:1B:DF 00:80:A3:83:C4:B2 192.168.110.30:43282 192.168.89.123:43282 ip:udp 50 1

Any ideas?

I have only one IPSEC Policy, if I mirror it the TCP traffic stop woking.

Thanks

What version do you have on Mikrotik side ?
If 7.20, please revert back to 7.19.6 if possible. There have been some issues with IPSEC since 7.19.4 which were (partially) solved with 7.19.6 but it's not sure yet everything has been solved with 7.20.

Some users had to revert back from 7.20 to 7.19.6.

Hi, this is the versión

/system/routerboard> print
routerboard: yes
board-name: hEX
model: RB750Gr3
revision: r4
serial-number: CC210F8D02A6
firmware-type: mt7621L
factory-firmware: 6.47.10
current-firmware: 6.47.10
upgrade-firmware: 7.19.6

What is the recommended firmware? 7.19.6? or less? what version do you think is the best for no issues in ipsec?

The problem is only for UDP traffic, TCP works without issues.

Thanks

What version was it before going to 7.20 when it still worked ?
Or did you go straight from 6.47.10 to 7.19.6 ??

Can you make supout.rif when the problems occur and create a support ticket containing this file ?

I also see your current RouterOS firmware is still on 6.47.10 (check system / routerboard).

I’m new working with Mikrotik, Can you guide me to make support.rif? The problem always occur, it not working if UDP traffice flows.

as you can see in the packets flow, the UDP packet in using eth1 (WAN Ipsec) then send it to the bridge and eth4 that is the port where the udp sensor is. But reply is not send using IPSEC is discarded I think.

Routerboard is in 6.7.10, can you recomend me to upgrade to 7.19.6

system routerboard upgrade is the command?

Thanks and sorry for by poor understanding about Mikrotik.

Hello,

To make a supout.rif file, connect to the device through Winbox then click on “Make Supout.rif” on the left side panel towards the bottom. It will then generate it and the supout will appear in the device’s Files menu where you can then right click on it and download it to your computer.

To update your device, go to System > Packages > Check for Updates. You will first have to go through the “upgrade” channel which will bring you to ROS 7.12. Click the Download & Install button and wait for the device to update. Once that’s done, you will need to manually download the ROS 7.19.6 update package from here: https://download.mikrotik.com/routeros/7.19.6/routeros-7.19.6-mmips.npk then drag this file into the Files menu of your device and reboot the device from System > Reboot.

After that has completed, the device should have ROS 7.19.6 installed (you can confirm by looking at the title bar of the Winbox window). Finally, go to System > RouterBOARD > Upgrade and reboot the device once more when it asks you to in order to update the device’s bootloader.

I think @undergl already has RouterOS 7.19.6 installed, because the output says upgrade-firmware: 7.19.6.

To @undergl it's safe to upgrade the RouterBOARD firmware to match the currently installed RouterOS version. Just click the Upgrade button under System -> RouterBOARD

image367×233 6.12 KB

(or run /system/routerboard/upgrade command) then reboot the router once. You can also click the Settings button, and enable this checkbox:

image391×224 5.51 KB

and the firmware will be kept in sync with the RouterOS version. But this will require an extra reboot after each RouterOS upgrade.

Hi, thanks all for you comments. Now Routerboard was upgraded to 7.19.6 ipsec issue occurs. TCP traffic works well but udp not. I created a support.rif and I’m going to open a support case.

Hi again, thanks for all your support problem solved, my bad…. no issues in IPSEC. The problem was wrong gateway in UDP sensor…xD