Community discussions

 
rahuljj
just joined
Topic Author
Posts: 7
Joined: Thu Mar 05, 2015 6:19 pm

Wierd Problem with Mikrotik

Wed Jun 12, 2019 6:40 am

Hi
I am Running a network is 20 branches connected to a central office , all our routers are Mikrotik, the Central Office router is RB3011. Branch routers are a mix of multiple routers, but all Mikrotik.

All routers updated to the Latest Long Term Release .

The Central and Remote offices are connected with IPIP tunnels with IPsec, and OSPF. Every Remote branch is directly connected to central office and all branches are connected in a ring structure, so every remote is connted with 2 other branches .

The total setup perfect with out any problems except the IPIP interfaces go offline after a few hours like 10 hrs , some times 6 to 7 hours . The Flag 'R' on the IPiP interface goes away , but I noticed the IPsec policy still shows established. No mater what I do , like disable and re-enable , flush the IPsec , nothing brings back the IPIP tunnel to Running state , but If I reboot the router , the IPIP comes back up and works with out any problem .

This happens randomly on all routers some Times, never happen in a full 24 hours . Happens more frequently on The central router RB3011.

Can anyone shed any light on this , why this might be happening.

Regards
Rj
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Wierd Problem with Mikrotik

Wed Jun 12, 2019 11:52 pm

I will try to replace RB3011 with a more powerful router and make all routers update to Current version!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
rahuljj
just joined
Topic Author
Posts: 7
Joined: Thu Mar 05, 2015 6:19 pm

Re: Wierd Problem with Mikrotik

Thu Jun 13, 2019 4:59 am

hi
an insight about the load on the router,

at Peak time of the usage, when all 20 Tunnels are up, the peak CPU usage was never more than 15%, i have fast-track enabled.

As said i shall update the routers to Current Stable release and will post the results here.

Side Note : TO test another scenario, I have configured the OVPN on the server, with proper certificates . Configured all clients to connect to the central server with OVPN client, there was never a connection drop for days together, either at the Central office or the remote offices, only downside i noticed using OVPN was that the tunnel b/w capacity came down to almost 50% less compared to IPIP ipsec tunnel. Otherwise i found OVPN is a good option for me in my setup.

Thank you
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wierd Problem with Mikrotik

Thu Jun 13, 2019 4:02 pm

How bursty is the traffic through the IPIP tunnels? I mean, can it be that there is silence in both directions for minutes? Your firewall rules on either end may prevent IPIP tunnel's transport packets from being accepted if a matching packet hasn't been sent in the opposite direction a few (tens of) seconds ago, so if you haven't used the default values of keepalive for the /interface ipip, the tracked connections for the IPIP transport packets may time out. The fact that the packets come in via an IPsec SA is not enough to make them be accepted unless you have a rule in chain=input of /ip firewall filter which accepts them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
eworm
Member
Member
Posts: 390
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Wierd Problem with Mikrotik

Fri Jun 14, 2019 8:58 am

I had similar issues with GRE over IPSec, where connection became stuck after packets were send outside IPSec context. For me rejecting unencrypted GRE did the trick. Try something like this on all your routers:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=ipip
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
rahuljj
just joined
Topic Author
Posts: 7
Joined: Thu Mar 05, 2015 6:19 pm

Re: Wierd Problem with Mikrotik

Tue Jun 25, 2019 8:21 pm

Hi all i am back again here to post my results,

The crazy problem , IPIP tunnel with Ipsec keeps loosing connectivity every 10 to hours, and the only way to bring back the IPIP tunnels back up is by rebooting the RB3011 router is still present dispite of all the suggestions and fixes suggested in this post above..

To further check the stability of this RB3011, i have configured the OVPN server and had all Client routers connect to the central office thru OVPN clients , and to my surprise, there was not a single instant the remote branch routers was disconnected, all remotes were staying connected for days with out disconnecting.

I did another test, by removing the ipsec from the IPIP tunnels, and here too , there was not a single disconnection happened in days. the moment i added to ipsec encryption to the IPIP tunnels, the problem of IPIP tunnels loosing connectivity was back again.

Its clear that there is problem with Ipsec on Mikrotik. and also i did face this issue only on RB3011 , which is arm based chip set, rest all our branch routers were mmips based .

Lets hope Mikrotik solves this in the future updates.

regards
Rj

Who is online

Users browsing this forum: Bing [Bot] and 100 guests