Hi!
For a short story see post #2
I used IPsec many times with mikrotik and this time the setup was no different in it's setup but it is acting really strange. The tunnel uses 172.16.14.176/29 where .177 is the mikrotiks IP which is then default gateway for the rest of the devices (.178-.181) on this network. Now my servers trying to talk to these IPs are on another subnet 172.16.0.0/24 which is on a VLAN into the Cisco ASA which is the other end of the IPsec tunnel.
This has worked perfect so many times before but now the problem begins. My primary server 172.16.0.115 can not talk to 172.16.14.178 or .179 but the mikrotik at .177 works and .180 and 181 too. My backup server at 172.16.0.116 can talk to all IP .14.177-.14.181. ARP issues I thougt so I checked the mikrotik ARP table and it shows correct for the .178 and .179 IPs. Many other computers on other subnets can also talk to .178 and .179 but not the primary server. I checked its routing table if something has sneaked in there but no, looks ok.
I used mikrotik packet sniffer to watch the ethernet ports accosiated with these IPs and no packets from this servers IP exits the interface when pinging or trying other protocols against .178 and .179 like it does when the secondary server does the same. I did a traceroute from primary server to .178 and the last IP to respond is the mikrotik at .177 then timeout. Traceroute to .180 and .181 goes through all the way. .178+.180 is on the same physical port on the mikrotik and .179+.181 is on another. It is like if the mikrotik dislikes the primary server and thows its packets away for these two IPs.
Using latest firmware 6.48.2 on the RB450G. No firewall rules.
My temporary solution to this was to point the primary server to the mikrotik IP .177 instead and add dst-nat on the mikrotiks IP .177 for my specific TCP ports and let the mikrotik redirect the packets dst IPs to .178 and .179 instead. I did not have to use src-nat/masqurade so packets find its way back without altering src IP. I don't have access to the device today so can't post a config but is basically what I showed in this other thread but only using a single tunnel on this device : viewtopic.php?f=2&t=173704&p=849681#p849681
What the hell is going on here? This should "just work" so I don't have many ideas where to start looking :(
Any tips?
Thanks,
David