However, since the deployment 2 months ago we have been getting random "disconnection" issue. The so called disconnection is not really a disconnection because from both end, it is still showing connected. Then we found that there are encryption issue which causes the client side to receive jumbled message which is not valid. We can do a manual reconnection to re-establish the encryption key again which will restore the issue. However, this has been happening at random and every few days once. Sometimes 2 times per day.
I have been checking with Mikrotik support on this issue but it was not resolved. They said it is not mikrotik issue and ask us to check with external network or client's side.
The thing is, this issue doesn't show up in debug or and log. I need somemore help on this as others connecting to our client is not reporting such issue with them. So it has to be from our side.
Recently I found this in the IPsec:
Also, the encryption issue happen for 25 minutes and I assume it got resolved when there was a key re-negotiation.
Code: Select all
in-errors: 0 in-buffer-errors: 0 in-header-errors: 0 in-no-states: 7 in-state-protocol-errors: 68 in-state-mode-errors: 0 in-state-sequence-errors: 0 in-state-expired: 0 in-state-mismatches: 0 in-state-invalid: 0 in-template-mismatches: 0 in-no-policies: 10 in-policy-blocked: 0 in-policy-errors: 0 out-errors: 0 out-bundle-errors: 0 out-bundle-check-errors: 0 out-no-states: 0 out-state-protocol-errors: 0 out-state-mode-errors: 0 out-state-sequence-errors: 0 out-state-expired: 0 out-policy-blocked: 0 out-policy-dead: 0 out-policy-errors: 0
Look at the add-lifetime, from the doc, it says soft/hard time reconnection. That means it was a "soft" disconnection and after 25min a reconnection fixed the issue.
Code: Select all
3 E spi=0x60F8DC3F src-address=192.168.39.33 dst-address=113.23.x.x state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="bf6fe56256b324ba23b1ab34c052ac1xxxxx" enc-key="30bffa0efb093f92f69e0add90c6087e93e9b3exxxxx" addtime=oct/08/2020 10:43:29 expires-in=29m37s add-lifetime=24m19s/30m24s current-bytes=8649 current-packets=52 replay=128
If I am right, it means everytime a soft reconnection happen, there is a small chance that encryption negotiation failed. As such, without doing anything we need to wait for 25 minutes for the next soft connection to establish back the soft encryption. Am I right to assume this? Where do I change this soft reconnection time?