Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Tue Jan 12, 2021 5:51 pm

IPSEC duplicated when restart device

Tue Jan 12, 2021 6:22 pm

I have 2 RB951G conected site to site with IPSEC.

When the second device restart, the IPSEC connection is duplicated, adding a "_" after the last name character, and the connection cant be stablished. I need access it, delete that second connection, from active peers, identities and peers. After do that, the connection is correctly stablished. I do all the process using winbox.

Actually im monitoring that checking the uptime using ssh remotely every 10 minutes, so if the time is restarted, send me a message to notify it.

I have 2 questions:

1 - How can i detect why the connection is duplicated?
2 - How can i delete the second connection using the command line?

Thanks in advance
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC duplicated when restart device

Wed Jan 13, 2021 5:00 pm

My first question is which version of RouterOS you are running.

Regarding question 1:
  • does the "second device" have a public IP address directly on itself or is it behind some NAT?
  • At that device, have you changed send-initial-contact parameter of the peer representing the "first device" to no from the default value yes?
  • When you mention that you have to delete the second connection not only from active-peers but also from the peer and identity tables, are the rows in /ip ipsec peer and /ip ipsec identity marked as dynamic or not? Can you show the output of /ip ipsec peer print detail, /ip ipsec active-peers print detail, /ip ipsec identity print detail, and /ip ipsec export hide-sensitive during that strange state (don't forget to change the secret value in the identity print before posting)?
Regarding question 2:
you can schedule a script to run every minute, which will check for the presence of two active peers which differ just by the underscore in the name, and remove the one with underscore from the tables from which it needs to be removed. But that should be only a workaround if the root cause cannot be resolved.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], pscheben, vuli and 229 guests