Page 1 of 1

Can't update Installed SAs

Posted: Tue Jul 09, 2019 9:24 am
by calandri
Hi all,
I've always had an IPSec tunnel between two Mikrotiks (using public IP) and everything has always worked well.
Today I had to change one of two public IP designated for tunnel, I updated the configuration with the new IP in the peer, the NAT, the Route etc.

The Peer is established correctly (Active Peers > State=established). The problem is that the Installed SAs still remain with old IP, so the Phase 2 is not successful.

I've already tried to reboot both Mikrotik and also use Flush button, but the Installed SAs still remain with old IP.

Any suggestion?

Re: Can't update Installed SAs

Posted: Tue Jul 09, 2019 9:58 pm
by sindy
Have you also updated the sa-dst-address in /ip ipsec policy? If yes, post both configurations, see my automatic signature below regarding anonymisation.

Re: Can't update Installed SAs

Posted: Wed Jul 10, 2019 10:31 am
by calandri
Have you also updated the sa-dst-address in /ip ipsec policy? If yes, post both configurations, see my automatic signature below regarding anonymisation.
No. I would do it willingly, but is not a editable field:

Image

P.S.
I currently run v6.45.1 and I have seen in 6.46beta6 this change:

*) ipsec - improved stability for peer initialization (introduced in v6.45)

Maybe it could be this problem...

Re: Can't update Installed SAs

Posted: Wed Jul 10, 2019 10:43 am
by sindy
If disabling and re-enabling one of the peers doesn't help, post your configuration exports (check my automatic signature below for anonymization hints). If you cannot change sa-dst-address manually, it had to be created dynamically and thus it should follow peer address.

Re: Can't update Installed SAs

Posted: Wed Jul 10, 2019 5:10 pm
by eworm
Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.

Re: Can't update Installed SAs

Posted: Wed Jul 10, 2019 6:02 pm
by calandri
Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.
Thanks, I assumed it was a bug. I am also in contact with Mikrotik's support.

Re: Can't update Installed SAs

Posted: Fri Jul 12, 2019 7:58 am
by calandri
I solved the problem by performing the downgrade from stable v6.45.1 to long term v6.44.5

Re: Can't update Installed SAs

Posted: Mon Jul 15, 2019 8:13 am
by saifulslm09
I solved the problem by performing the downgrade from stable v6.45.1 to long term v6.44.5
Could you please tell me the procedure of downgrading RouterOS. I tried but it stayed to v6.45.1. I want to downgrad to v6.44.5