Community discussions

MikroTik App
 
steen
Member
Member
Topic Author
Posts: 475
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

first L2TP UDP package received from

Mon Sep 20, 2021 11:10 pm

Hello Folks!

I have a problem which has been ongoing for little more than a year regarding lt2p vpn tunnels.
RoS is a couples of 6.48.3 CHR in one end and various physical mikrotik routers in the other end also running 6.48.3.

At random classic L2TP VPN (no IPsec) tunnels goes down and logs start fill up with "first L2TP UDP package received from"
VPN links goes dow, and is down for a shorter(hours) or longer period(days, weeks..) and then as suddenly it is up again like nothing happened and is up for a shorter or longer time.

I have never been able to track down the issue, disable/enable the L2TP interface at both end did not work, upgrading the mikrotik devices did not work.

All connections are VPN connections, no NAT in between.
Firewalls at both ends accepts UDP port 1701, 500, 4500 and also IPsec-esp, IPsec-ah.

Anyone who have an idea of what this could be or howto fix it ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: first L2TP UDP package received from

Tue Sep 21, 2021 8:10 am

Debug logs & packet sniffing at both ends are the only way to find out whether it is a RouterOS bug or a network issue.

The L2TP server process may not respond because something is wrong in the initial packet from the client, or because something is broken in the server code. Or the response of the server may not reach the client because there is a temporary change in routing at the CHR. Or the response may not reach the client because there is an issue on the network path between the server and the client. Or the client may not like the response because something is wrong in it, or because something is broken in the client code.

Regarding the firewalls - provided they are based on the default rules of the SOHO models, the only rule you actually need to add is "accept UDP dst-port 1701 in input" at the server. UDP ports 500 and 4500 as well as ipsec-esp and ipsec-ah are irrelevant since you don't use IPsec.

There is usually no problem with storage for sniffing on CHRs, but there may be one at the client device. So for the logging & sniffing, choose one where the issue is frequent and it has a free usb port for an external disk.
 
Sidewindr
just joined
Posts: 7
Joined: Mon Dec 13, 2021 4:04 am

Re: first L2TP UDP package received from

Mon Dec 13, 2021 4:10 am

I have an issue with L2TP and IPsec using preshared secret.

I am connecting to a CHR running 7.1 with ~100 l2tp ipsec VPN's connected to it.
I am connecting from a CCR1036-12G-4S. RouterOS v6.48.6(tile) or 6.49.2(tile) the l2tp ipsec VPN works fine. Upgrade to 7.1(tile) and the l2tp no longer works. I see "first L2TP UDP packet received from x.x.x.x" messages in the CHR logs when it is not working.

If I connect a l2tp ipsec VPN to the CHR using an RB1100AHx4 to the CHR then everything works fine no issue with the l2tp ipsec vpn. It would seem it is a 7.1 on tile specific issue.

Any assistance would be appreciated.
 
Sidewindr
just joined
Posts: 7
Joined: Mon Dec 13, 2021 4:04 am

Re: first L2TP UDP package received from

Wed Mar 09, 2022 4:08 am

v7.1.3 appears to have resolved the issue.
 
steen
Member
Member
Topic Author
Posts: 475
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

Re: first L2TP UDP package received from

Sun May 08, 2022 11:32 pm

Hello Folks!

This problem remains even with latest stable ros v6 at time of writing. This time we tested using a centos 8.5 linux latest version at time of writing, here using xl2tpd and ppp to establish the l2tp link. The mikrotik routers in other end is CHR. There is no NAT or nothing like that between the devices just a couple of router hops away, no firewalls.
It was stable for over a week, l2tp links to both CHR routers were rock solid. Older ros versions seems not have this problem at all, they are rock solid.

From beginning it worked with both mikrotik routers, but suddenly out of nowhere the l2tp links were discconected on one CHR router but the other one is rock solid.
Trying to connect again, the famous "first L2TP UDP package received from" is seen in the router that fails.
Repeated connection attempts works at random, links comes up, but goes down within 3 minutes and the famous message arrives again.

Why am I fighting with this, because we have very many such l2tp links and uses OSPF to distribute routing tables in the vpn network we have. It has been working for over ten years plus with out issues, now a couple years ago it started to misbehave.

We have not been able testing or ROS7 yet to see if problem remains also there.

Who is online

Users browsing this forum: Ahrefs [Bot], anav, Andrey05, ivicask, sergejs and 88 guests