And fix reboot loop on hAPac ? Because I have no EoIP or IPIP tunnels.This release fixes crashes related to EoIP and IPIP tunnels which were introduced with previous release:
*) tunnels - fixed reboot loop on configurations with IPIP and EoIP tunnels (introduced in 6.39rc68);
We are sorry for any inconvenience caused.
I wrote to the support.pista - Please write to support@mikrotik.com and explain your problem. Provide old supout files or export files from older versions (if you have any) so we could try to reproduce your problem.
At the top of the 6.38 changelog there is this answer to your issue:Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and processing STP BPDU packets on ports which aren't members of the bridge. The simplest way of demonstrating this is to configure bridges on two different VLANs, on different routers which share the VLAN carrying network.
Important note!!!
RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
and what's the answer?At the top of the 6.38 changelog there is this answer to your issue:Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and processing STP BPDU packets on ports which aren't members of the bridge. The simplest way of demonstrating this is to configure bridges on two different VLANs, on different routers which share the VLAN carrying network.
Important note!!!
RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
Since 6.38 BPDUs are sent and processed with out the VLAN tag.and what's the answer?At the top of the 6.38 changelog there is this answer to your issue:Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and processing STP BPDU packets on ports which aren't members of the bridge. The simplest way of demonstrating this is to configure bridges on two different VLANs, on different routers which share the VLAN carrying network.
Important note!!!
RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
He said its broken, so what's the fix?Since 6.38 BPDUs are sent and processed with out the VLAN tag.and what's the answer?At the top of the 6.38 changelog there is this answer to your issue:Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and processing STP BPDU packets on ports which aren't members of the bridge. The simplest way of demonstrating this is to configure bridges on two different VLANs, on different routers which share the VLAN carrying network.
Important note!!!
RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
int vlan add name=vlanXXX interface=bridge vlan-id=XXX
Adapt all the equipment and settings in the network to be standards compliant.
That being said, it would have been friendlier when this change was configurable so a new version
could be installed with the old behaviour and a controlled migration of existing networks would be possible.
Too little context to say anything meaningful!Thoughts?
I am seeing similar issues with slowness when moving past rc60. I'll try to remove the fasttrack-connection rule and see if it also resolves my issues. I suspect it will because I have a VRF which does not seem to be affected.When I upgraded to ROS v6.39rc62, the following Firewall rule brought my outside access to a crawl:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
Once I disabled it, the system began to work normally.
This is the same with the current release 6.39rc72.
I have submitted a supout file to tech support.
Thoughts?
-tp
I am also suffering from this symptom.When I upgraded to ROS v6.39rc62, the following Firewall rule brought my outside access to a crawl:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
Once I disabled it, the system began to work normally.
This is the same with the current release 6.39rc72.
I have submitted a supout file to tech support.
Thoughts?
-tp
Seems to got same issue on my RB951Ui-2HnD. Updated from 6.39rc62 to 6.39rc72, now IKEv2 functionality is lost.For long time I was very pleased to use IKE2 with my Adroid with StrongSwan as client. It is still working on 6.39v62 and I skipped 6.39v68 and used the 6.39v69 and gone was my IKE2 connection. I get the error "wrong EAP mode" and I poked a bit around and it seems to be the Peers tab and the certificate and remote certificate part. Nothing helped and changing setting StrongSwan did also not help. Updated to 6.39v72, despite no mention in the changelog on IKE2, to no avail.
17:49:32 ipsec,debug ---->: KA tree dump: <Router Wan IP>[4500]-><Client IP>[15892] (in_use=2)
17:49:32 ipsec ---->: processing payloads: NOTIFY
17:49:32 ipsec ---->: notify: INITIAL_CONTACT
17:49:32 ipsec ---->: notify: ESP_TFC_PADDING_NOT_SUPPORTED
17:49:32 ipsec ---->: notify: NON_FIRST_FRAGMENTS_ALSO
17:49:32 ipsec ---->: peer wants tunnel mode
17:49:32 ipsec ---->: processing payload: CONFIG
17:49:32 ipsec ---->: attribute: internal IPv4 address
17:49:32 ipsec ---->: attribute: internal IPv4 netmask
17:49:32 ipsec ---->: attribute: internal IPv4 DNS
17:49:32 ipsec ---->: attribute: internal IPv4 DNS
17:49:32 ipsec ---->: attribute: internal IPv4 NBNS
17:49:32 ipsec ---->: attribute: internal IPv4 NBNS
17:49:32 ipsec ---->: attribute: application version
17:49:32 ipsec,error can't acquire address for <Client IP>, <Client cert details>: std failure: unknown id (4)
17:49:32 ipsec,error ---->: can't acquire address for <Client IP>, <Client cert details>: std failure: unknown id (4)
17:49:32 ipsec ---->: my ID (DER): <Router cert details>
17:49:32 ipsec,error wrong EAP mode
17:49:32 ipsec,error ---->: wrong EAP mode
17:49:32 ipsec ---->: adding payload: NOTIFY
17:49:32 ipsec ---->: notify: INTERNAL_ADDRESS_FAILURE
If you're still running the v72 maybe you can put the IP someware in strongswan to if that differs.17:49:32 ipsec,error can't acquire address for <Client IP>, <Client cert details>: std failure: unknown id (4)
17:49:32 ipsec,error ---->: can't acquire address for <Client IP>, <Client cert details>: std failure: unknown id (4)
It's near to impossible to state IP address in certificate for road warrior in advance, since we don't know what IP will be assigned to device by mobile network (or it can be behind NAT on some public hotspot). Also setting auth method to PSK results to same error:It seems that the client IP is the problem. Normally it is pulled from the pool but it seems that this address is also needed to be stated in the certificate.
ipsec,error can't acquire address for <Client IP>, <Client IP>: std failure: unknown id (4)
Oops. Seems that not only my fault.Seems that that was my fault - I just was need to inspect all IPSec settings, but I was a bit confused with "wrong eap mode" line in log.
I checked this an my configuration already was already set that way. I remember during fiddling with the settings I could connect however like you experienced that could be just luck and not repeatable.So, I found two ways to solve issue:
1. just define address pool, prefix length etc. in "request-only" mode config.
2. set peer "passive" parameter to "yes", define new mode config and set it in peer parameters. (This way seems to be more correct than first).
After all changes done I see that mobile device connects to RB with no problems.
Seems that that was my fault - I just was need to inspect all IPSec settings, but I was a bit confused with "wrong eap mode" line in log.
Come on! rc72 was released last week!What's going on? Mikrotik stopped updating? Update stopped on rc72
Could you please shed some light on the changes?Version 6.39rc72 has been released.
Changes since previous version:
*) l2tp - added support for multiple L2TP tunnels (not to be confused with sessions) between same endpoints (required in some LNS configurations);
*) l2tp-server - added "caller-id-type" to forward calling station number to RADIUS on authentication;
.
+1Is there a chance to get the rpfilter matcher assuming it is not yet available?
viewtopic.php?f=2&t=120863
Having same issue on RB953GS-5HnT,I am also suffering from this symptom.When I upgraded to ROS v6.39rc62, the following Firewall rule brought my outside access to a crawl:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
Once I disabled it, the system began to work normally.
This is the same with the current release 6.39rc72.
I have submitted a supout file to tech support.
Thoughts?
-tp
There is no problem if you do not use FastTrack, but I can not explain the symptoms when using FastTrack.
I also contact support, but I do not understand easily.