Community discussions

MUM Europe 2020
 
User avatar
R00tKit
just joined
Topic Author
Posts: 8
Joined: Fri Nov 07, 2014 12:24 am

Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Thu Jul 23, 2015 7:30 pm

Hello everyone.

Pretty much the issue was described on subject. I have a Mikrotik RB2011UiAS connecting to an ASA 5510 via IPSEC vpn. This has been working for ages. After upgrading the routerboard to 6.30 and any of its subsequent versions (6.30.1 and 6.30.2) the tunnel still comes up, but no traffic goes through the tunnel. When I downgrade to 6.29.1 everything is working again.

Please note that there are absolutely no changes in the configuration. It just works on one version, while it doesn't on the next. Is anyone aware of any huge changes on IPSEC, some place I could start debugging ?

Thank you in advance.
 
Nero
just joined
Posts: 5
Joined: Sat Oct 30, 2010 10:23 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Thu Jul 23, 2015 10:34 pm

It's similar to my situation. I have a Mikrotik 450G connecting to an ASA 5510 via L2TP over IPSEC with pre shared key. After upgrading the routerboard to 6.30.x ipsec connection can't be established. When I downgrade to 6.29.1 everything is fine.
 
User avatar
R00tKit
just joined
Topic Author
Posts: 8
Joined: Fri Nov 07, 2014 12:24 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Thu Jul 23, 2015 11:40 pm

Good to know it's not just me then. There is definitely something wrong there. The problem is that I don't know where to look. As I said before the tunnel is established on both versions. On the ASA debug log I see that mikrotik's LAN is correctly added to its routing table and it is marked to be encrypted. So everything looks good until I try to send a packet via the tunnel -it goes nowhere. Since the IPSEC setup is presumed to be okay, I moved on to the next stop: mikrotik's firewall. The NAT statements for LAN-to-LAN traffic were there, on top of the list (before the mangle statement) and their counters were incrementing each time I was trying to send a packet to the other side of the tunnel.

This is where I stopped. ASA's log didn't show any drops, denies or incorrect ESPs.

*UPDATE*

As I was writing the above I noticed a significant difference between the way that the IPSEC tunnel is established on version 6.29 and 6.30. On the version that is working properly (6.29.1) after the tunnel is established if you go to ipsec >> remote peers you only see one peer with your local outer address to the remote outer address. On version 6.30 I see two peers, one like in the previous case and another one that has listed as local address "0.0.0.0". Could this be the case due to the fact that my end (Mikrotik) doesn't have a static IP and I have created the tunnel policies by using "0.0.0.0" on the SA Src Address field ? If yes, why was this working before and it broke now ?

Just food for thought, any help will be appreciated.
 
User avatar
R00tKit
just joined
Topic Author
Posts: 8
Joined: Fri Nov 07, 2014 12:24 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Fri Jul 24, 2015 12:10 am

Another update

Unfortunately it seems that I have pinpointed the problem and it seems to be a bug in the newest releases. Since my external IP is assigned by DHCP, I had set on IP >> IPSEC >> Policy all the policies' SA Src Address to "0.0.0.0" which was working fine. After 6.30 this doesn't work since it adds a new remote peer after trying to send something over the established tunnel with source address "0.0.0.0". I modified a policy SA Src Address with the IP I was assigned at that moment and it immediately worked. Needless to say that updating this field every time I get assigned a new IP is not an option, so I am reverting to 6.29 until this is resolved.

Should I report this bug somewhere else or will this post in the forum suffice ?
 
agleave
just joined
Posts: 1
Joined: Sun Jul 26, 2015 7:48 pm

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Sun Jul 26, 2015 7:52 pm

Hi, I have also had this issue, my internet connection is on a dynamic IP, on the IPSEC policy i used to have 0.0.0.0 as the SA Src. Address however since updating it no longer worked. As suggested by R00tKit, once you put your current IP Addresses in the SA Src. Address box the IPSEC VPN starts to work.

Is there another more pernament solution to this as when my IP address changes I will have to reconfigure the IPSEC policies again.

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24337
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Wed Jul 29, 2015 1:15 pm

have you contacted support with supout.rif file from 6.30.2?
please post your ticket number, so I can check status
No answer to your question? How to write posts
 
andrace
newbie
Posts: 42
Joined: Sun Sep 21, 2014 8:41 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Wed Jul 29, 2015 3:17 pm

The same problem, after an upgrade to 6.30.1 and 6.30.2 ,an address 0.0.0.0 no working
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Wed Jul 29, 2015 3:27 pm

Enable ispec debug logs, generate supout file after unsuccessful connection attempt and send this file to support.
 
arturrenato
just joined
Posts: 7
Joined: Fri Oct 29, 2010 3:44 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Fri Jul 31, 2015 2:35 am

Hello all

Any update about it? I have the same problem with Mikrotik to Mikrotik IPsec VPN.

Artur
 
Silale
just joined
Posts: 13
Joined: Mon Jul 28, 2008 3:02 pm
Location: Riga, Latvia
Contact:

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Fri Jul 31, 2015 9:58 am

same problem with dynamic ipsec rules in mikrotik to mikrotik - version 6.30.2.
In central office we have ccr-1009 with template 0.0.0.0 , in branches we have mt 6.27 with statically configured ipsec tunnels and remote static peer. After update to 6.30.2 - in ipsec policies we have 2 tunnels to all branch offices . And after 1 hour of work - all tunnels be broken, and can't reestablish tunnels from branches to central office. Rolling back to 6.29 - resolved problem. Manual clearing of connected peers don't help after tonnel broken.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Fri Jul 31, 2015 11:52 am

Enable ispec debug logs, generate supout file after unsuccessful connection attempt and send this file to support.
 
User avatar
R00tKit
just joined
Topic Author
Posts: 8
Joined: Fri Nov 07, 2014 12:24 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Sun Aug 02, 2015 4:45 pm

Hello
First of all I am sorry for the delayed response. You requested ipsec logs and the Supout.rif file, however since the problem was diagnosed on an active secure system handling financial data I could not supply those due to our strict network policy. My only solution was to recreate the problem with other devices, and this is what I did. I setup a small lab network with two laptops, one behind a Mikrotik CRS125-24G-1S and the second behind an ASA5505 firewall. I setup the firewall in the exact same way as our corporate one with different networks and passwords of course, and I setup an IPSec tunnel between the CRS and the ASA.

The topology is the following:
LAPTOP1 <---->  CRS125										     ASA5505  <---->  LAPTOP2
10.0.2.2/24		 10.0.2.1/24									  10.0.5.1/24	    10.0.5.2/24
						10.0.1.16/24 <----> CISCO SWITCH <----> 10.0.1.254/24
At first, I put as SA Src. Address in the IPSec Policy “10.0.1.16”. The tunnel came up and one laptop could ping the other fine.

I got all the related logs and also created a supoutOK.rif

Then I changed the SA Src. Address to “0.0.0.0” and rebooted the CRS.

Again, the tunnel came up, but the two laptops could no longer communicate due to the symptom mentioned to my original e-mail. The “remote peers” table was populated with two peer routes, one with the actual outside address (10.0.1.16) and the other with the (0.0.0.0). This behavior started with 6.30 version, whereas on version 6.29.1 and before 0.0.0.0 was/is working fine.

I got a screenshot of the Remote peers, created a supoutBAD.rif and also got all the IPSec logs.

Everything is attached to my support e-mail, the Ticket number is 2015072466000023

Thank you for your time, I hope this is resolved soon, because I need to be able to establish IPSec site to site VPN from dynamic addresses.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 183
Joined: Thu Feb 13, 2014 8:03 pm

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Mon Aug 03, 2015 4:46 pm

Hello,

I've got exactly the same issue, although I specify all the proper addresses (not 0.0.0.0) and the tunnel is between a Cisco UC520 and a CRS1036-12G-4S, the tunnel comes UP but no data whatsoever is being send, if I kill a few times both ISAKMP and IPSEC associations it starts working for the duration of the "lifetime" then it resets as expected but the problem starts over.

I've sent a support ticket today #2015080366000571

Rolling back to 6.29 fixes this problem.
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
Dejan
newbie
Posts: 30
Joined: Wed Apr 22, 2015 8:28 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Tue Aug 04, 2015 3:48 pm

Any info when this will be fixed? I have same problem... After upgrade from 6.29.1 to 6.30.2 ipsec tunel to zyxel router stop working ... I use dynamic public address and also get same simptoms as written before ...
 
a2940uw
just joined
Posts: 1
Joined: Wed Aug 05, 2015 11:24 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Wed Aug 05, 2015 11:52 am

I also have this serious problem on 6.30.x in 2 routerboard IPSec site-site, the connection success to established but no SA-installed, now try to downgrade to 6.29.1.
 
User avatar
R00tKit
just joined
Topic Author
Posts: 8
Joined: Fri Nov 07, 2014 12:24 am

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Sat Aug 15, 2015 12:52 am

I am extremely happy to report that this issue has been resolved on version 6.31 which came out yesterday. Many thanks to Mikrotik staff for their quick fix.

Who is online

Users browsing this forum: Bing [Bot] and 110 guests