I have one in service router (CRS125-24G-1S) that will not reliably establish an L2TP with an ipsec tunnel to other mikrotik routers. Only about 5% of the time will the tunnel get established. All other times the ISAKMP-SA is successfully set up, but the tunnel fails to authenticate, it just keeps trying. If I disable IPSEC on the L2TP tunnel it works.
I have other routers (RB951-UI) that I set up that can successfully establish an L2TP session. I've compared the IPSEC configuration for the working an non-working routers and they are identical. I've tried disabling fasttrack and all input firewall rules on the CRS router and the tunnel still fails to authenticate. If I set up an RB951-UI behind the CRS125, it can still establish a connection successfully through the CRS to the same target router, so the ISP is not a fault. When I look at the log on the target router, I see the ISAKMP-SA established, but then nothing, until I disable the outbound connection, then I get a message saying that the first L2TP packet has been received....so it is like the CRS is not sending any traffic until the session is disabled.
I've attached log samples when it works (rarely) and when it does not work. When it starts working, it will work multiple times successfully until I leave it down for over 10 minutes or so, then it will fail for days. That is why I suspected fasttrack, but disabling fasttract does not fix the problem.
Suggestions about how to debug or fix this are appreciated.