Mon Aug 06, 2018 12:31 am
Not sufficient information (your rule may be at wrong position in the chain), but most likely the lifetime of the connection in the firewall's connection tracker (180s for UDP) is longer than the pause between the L2TP failure and the re-connection attempt following the failure, so the connection tracker treats an actually new connection to the same destination as if it was the old one. This happens (if it does) because RouterOS follows the L2TP recommendation so although it is acting as a client, it uses port 1701 also at local side, so the connection tracker cannot distinguish between the old and new attempt as all the distinctive fields of a UDP connection (local IP and port, remote IP and port) are the same.