Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 16
Joined: Mon Mar 27, 2017 5:03 pm

VPN down on failover

Thu Jun 13, 2019 7:31 pm

Hello, I have a failover configuration on two WAN ports each with different public IP’s.

Eth2=wan 2 = distance 3
Eth3=wan 1 = distance 2 (main connection)

when eth3 fails, internet traffic still works ok with different WAN ip ok eth2.

VPN for a specific service lost connection and I am not able to use it anymore until I manually restart the full router disconnecting everyone including VoIP traffic or when the eth3 comes online again.

So the problem is with the VPN. Is there a way that I can make the VPN work again without having to restart the full router or without human intervention, kind of a automatic task and also when the link comes back again the VPN reconnects with the primary wan?

I got the latest firmware version update and this was a configuration that was done by other person and it was supposed to be working like that, but we have changed One of the ISP’s keeping the old main as the backup link si what i have made is only change ip addresses and distances on each route.

Any information will be very well appreciated, thanks in advance.
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Tue Feb 26, 2019 12:49 pm

Re: VPN down on failover

Thu Jun 13, 2019 9:18 pm

I do it like this for L2TP/IPsec client:

1. Add the rule to мark connections
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark dst-port=1701,500,4500 new-connection-mark=L2TP_VPN passthrough=yes protocol=udp
2. Add the lines below into "On Down" script in the ppp profile
:log warning "L2TP_VPN connection is down"
/ip fi connection remove [find connection-mark=L2TP_VPN]
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN down on failover

Sat Jun 15, 2019 12:36 am

Or, simpler, just use /ip firewall connection remove [find dst-address~":(5|17|45)00\$" protocol=udp] in the script (if we really talk about L2TP over IPsec here, otherwise different protocols and ports have to be specified), so that you wouldn't need to connecion-mark the VPN transport connection specifically.

However, if the VPN client is the Mikrotik itself and not a device on its LAN, it should be enough to prevent the src-nat or masquerade rule on WAN from being used on locally originated packets, so that the VPN connection would not get src-nated. In that case you shouldn't need to remove connections using a script as the reason why they need to be removed is that once a NAT address is assigned to a connection, it never changes unless it was assigned by a masquerade rule and the interface goes down or gets a new address - in these cases, RouterOS removes masqueraded connections automatically. So if there is an issue further in the network and the WAN doesn't actually go down or change address, the auto-cleanup associated to masquerade is not executed.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: martinclaro and 121 guests