Unable to ping anything from ccr1072

elxer · September 11, 2018, 6:08pm

HI, I am unable to ping any ip from mikrotik. Mac ping is working but unable to icmp anything.? Anyway to troubleshoot icmp service apart from rebooting the device?
Note: there are no firewall rules blocking icmp. It stopped working automatically.

sindy · September 11, 2018, 6:26pm

Try running /tool torch interface-name ip-protocol=icmp src-address=0.0.0.0/0 dst-address=0.0.0.0/0 and ping something which is accessible via that interface. If you can see only TX-PACKETS to count and RX-PACKETS stays at 0, the machine is pinging but the responses don’t come (so a firewall on remote side may be the culprit); if you can see both directions to count, the responses are coming and either your firewall settings got corrupt or the software module in RouterOS responsible for pinging has a problem.

Do you have an action=accept connection-state=established,related rule as the first non-dynamic one in chain=input of /ip firewall filter?

elxer · September 11, 2018, 6:36pm

There are no firewall rules at all.
[admin@MikroTik] /ip firewall> expo

sep/12/2018 00:01:24 by RouterOS 6.39.2

software id = ********

/ip firewall connection tracking
set enabled=no
[admin@MikroTik] /ip firewall>

I am unable to ping anything so pretty sure there no issue on remote side.
Torch doesnt show either tx or rx. its blank so it seems software module which pings is the culprit. Any way to restart service responsible for ping without rebooting the whole router?

sindy · September 11, 2018, 6:46pm

Assuming you did run the torch in one window and ping from another one, watching the torch, then yes, this looks like the pinging module dead. And no, there is no way to restart a software module individually from RouterOS CLI or GUI, a complete reboot is the only way.

elxer · September 11, 2018, 6:50pm

Will restart the router for now. Can this be due to 100’s of static route with check-gateway=ping enabled? Should i avoid using ping to check gateways?

sindy · September 11, 2018, 7:05pm

I’m not a Mikrotik SW developer, but “hundreds” (i.e. less than 2000) static routes each checking its gateway using pings mean just “tens” (i.e. less than 200) of ping request/response pairs per second, and the machine should hardly notice such load. If you don’t have a sound reason for staying at 6.39.2, maybe you could use the occasion to upgrade to at least 6.40.9 (bugfix) which still uses the same L2 concept like 6.39.2. As you don’t have any firewall rules, I suppose the device is deep in a private network, so security patches may seem less important, but the newer version may also fix the issue you’ve noticed. I’d strongly recommend to generate and download a supout.rif before reboot and send it to support@mikrotik.com with issue description or a link to this topic.

elxer · September 11, 2018, 7:24pm

I’m not a Mikrotik SW developer, but “hundreds” (i.e. less than 2000) static routes each checking its gateway using pings mean just “tens” (i.e. less than 200) of ping request/response pairs per second, and the machine should hardly notice such load. If you don’t have a sound reason for staying at 6.39.2, maybe you could use the occasion to upgrade to at least 6.40.9 (bugfix) which still uses the same L2 concept like 6.39.2. As you don’t have any firewall rules, I suppose the device is deep in a private network, so security patches may seem less important, but the newer version may also fix the issue you’ve noticed. I’d strongly recommend to generate and download a supout.rif before reboot and send it to support@mikrotik.com with issue description or a link to this topic.

Did as you said. Thanks for your time.