Community discussions

MikroTik App
Topic Author
Posts: 40
Joined: Fri Aug 03, 2012 12:47 pm

IPSEC is getting random encryption issue

Thu Oct 08, 2020 5:55 am

We have deploy a mikrotik CHR in a cloud environment and manage to establish connection to our client backend that is using Fortigate.

However, since the deployment 2 months ago we have been getting random "disconnection" issue. The so called disconnection is not really a disconnection because from both end, it is still showing connected. Then we found that there are encryption issue which causes the client side to receive jumbled message which is not valid. We can do a manual reconnection to re-establish the encryption key again which will restore the issue. However, this has been happening at random and every few days once. Sometimes 2 times per day.

I have been checking with Mikrotik support on this issue but it was not resolved. They said it is not mikrotik issue and ask us to check with external network or client's side.

The thing is, this issue doesn't show up in debug or and log. I need somemore help on this as others connecting to our client is not reporting such issue with them. So it has to be from our side.

Recently I found this in the IPsec:
                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 7
   in-state-protocol-errors: 68
       in-state-mode-errors: 0
   in-state-sequence-errors: 0
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 0
     in-template-mismatches: 0
             in-no-policies: 10
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
              out-no-states: 0
  out-state-protocol-errors: 0
      out-state-mode-errors: 0
  out-state-sequence-errors: 0
          out-state-expired: 0
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0
Also, the encryption issue happen for 25 minutes and I assume it got resolved when there was a key re-negotiation.
3  E spi=0x60F8DC3F src-address= dst-address=113.23.x.x state=mature 
      auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 
      addtime=oct/08/2020 10:43:29 expires-in=29m37s add-lifetime=24m19s/30m24s 
      current-bytes=8649 current-packets=52 replay=128 
Look at the add-lifetime, from the doc, it says soft/hard time reconnection. That means it was a "soft" disconnection and after 25min a reconnection fixed the issue.

If I am right, it means everytime a soft reconnection happen, there is a small chance that encryption negotiation failed. As such, without doing anything we need to wait for 25 minutes for the next soft connection to establish back the soft encryption. Am I right to assume this? Where do I change this soft reconnection time?

Who is online

Users browsing this forum: No registered users and 8 guests