Seems like ever since we upgarded to 6.39.2 we have had an issue with VPN about once a week. It is strange, it still shows our IPSEC tunnels established and connected however they will not pass any traffic. L2TP tunnels simply wont established. There is nothing showing in the log files either. I have tried to go through various sections of the tunnels and disable and re-enable them to see if that helps but nothing does. Only thing that fixes it is a reboot of the Tik. Once a reboot is done everything works great for several days.

Any ideas?

In IP > IPSec, SA tab, try flushing the SA's?

I had an endpoint that was a Cisco. Sometimes Cisco was send a delete message and the Mikrotik would remove the active peer but leave the security associations in place. Then no traffic would happen.

Try turning on logging for IPSec to see if the remote end is trying to connect but can't..

Yes I'm having this problem too. IPSec established but no data. I have 4 GRE over IPSec tunnels to 4 servers with the exact settings but only one tunnel works.

I have tens of GRE over IPsec tunnels on tens of routers (mainly x86 and RB850Gx2) and I haven't had any issues with 6.39.2 or any previous versions for at least a year.

Super strange. I can't force the problem to reproduce. When it does happen it affects all VPN tunnels and all forms of VPN tunnels. When it happens again I will tinker some more and see if I can pin something down.....

I have the same issue. It has gotten to the point that I have a script on every router to kill the IPSec connections and flush the SA's, at the same time on both ends.

I have the same issue. It has gotten to the point that I have a script on every router to kill the IPSec connections and flush the SA's, at the same time on both ends.

Any ideas what the heck is causing it Dave??

No idea at all. And I am unable to force it to happen, so I can't even submit a support request.

Have you enabled IPsec debug logs?
Probably on a remote syslog server since IPsec tends to heavily flood the logs and it's practically impossible to search for anything on them.

Do they show anything useful when the issue occurs?

Is this between MikroTik only or other vendors too?

Are those tunnels directly connected or behind NAT?

My issues are all Mikrotik to Mikrotik. My Mikrotik to Cisco IPsec VPNs never seem to fail.

My issues are all Mikrotik to Mikrotik. My Mikrotik to Cisco IPsec VPNs never seem to fail.

Everything you describe is exactly what is happening on my end however it affects my Tik to Tik tunnels, Tik to Cradlepoint Tunnels, and my generic L2TP tunnels..... So basically anything IPSEC for me goes down. I too am not able to force the issue to happen and there is no consistency of when it happens....

Any update on this guys? I am still on 6.39.2 and wondered if anyone has found a solution to this VPN issue?

Still nothing. As of 6.41rc16, my standard IpSec and my IKEv2 tunnels still die every 2~3 days. My only solution was power cycling the sites every night at the same time. I use DLI Web Power Switches to automatically power cycle them at 3am every day. It's the only way I can guarantee that the VPNs will be up and running when employees start working at 6am.

Yep my tunnels are still doing that too. Strange that no one seems to know what the deal is or what is causing it.

I have noticed often times (but not all the time) this issue surrounds L2TP connections. Like if someone connects to L2TP tunnel but then doesnt disconnect the tunnel before shutting down their computer. The next time they connect it will trigger this issue. Just a commonality I have noticed.....

Please upgrade your router to the latest current or release candidate build and generate supout.rif file when the issue is present on the router and send it to support@mikrotik.com. Will try to see where the problem might be.

Please upgrade your router to the latest current or release candidate build and generate supout.rif file when the issue is present on the router and send it to support@mikrotik.com. Will try to see where the problem might be.

Okay thanks!

Please upgrade your router to the latest current or release candidate build and generate supout.rif file when the issue is present on the router and send it to support@mikrotik.com. Will try to see where the problem might be.

Just submitted a supout.rif file.