I have a MK device (rb500R5 2.9.46 OS) without conntrack routing traffic between ether1 and wlan1(SR2) and wlan2(SR5). Just to mention that OSPF is deciding if wlan1 or wlan2 is the default gateway.
On the eth side, there is a Cisco device tunneling traffic (IPSEC) to 18 remote sites.
This device is using Dynamic Multipoint Virtual Private Network from cisco.
The problem appears when the 11th tunnel is opening. It seems that signaling is lost for this one. So, no more tunnels are possible. If tunnel 3 (for example) is closed, the mentioned 11th connects in his place with no other problems. Then, no more tunnels are connecting again. It seems keep alives are being discarded when > 10.
I assume it is not limited because in fact, this traffic is not generated by the device. It is traffic flowing through it.
I have more information about the case:
Negotiations seem to accomplish for all the tunnels. The problem is keep alive traffic, I think it is protocol 50. This is the traffic that dies after 10th packet, so ‘high’ tunnels are dropped because of the lost packets.
Are you doing NAT between the Cisco and the Internet? If so, then protocol 50 (ESP) will have problems and you should use UDP encapsulation (NAT-T) for the VPN traffic.
Have you tried turning on connection tracking. Without it , RouterOS will drop all fragments.
if conntrack is off and you are just routing traffic, i would say the problem is with the 2 endpoints, not routeros. maybe cisco wants more money for more tunnels or something.
