I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?
Edit: managed to reproduce the issue without NAT as well.
Confirming - appears fixed ( RB 4011, AC ^ 2 ).Version 6.45beta37 has been released.
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
can you add EAP-MSCHAPv2 to the authentication method list?
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?Yes, it is coming as well.can you add EAP-MSCHAPv2 to the authentication method list?
One problem with both protocols? Are you sure?the problem with BGP and OSPF?
still waiting, hope can fix soon in v6One problem with both protocols? Are you sure?the problem with BGP and OSPF?
Done. [Ticket#2019051022005463]osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
Waiting for what? A miracle?still waiting, hope can fix soon in v6One problem with both protocols? Are you sure?the problem with BGP and OSPF?
no, KidControl.......which is even more important for you?
maybe another fix LCD?
A proper network admin likes watching graphs and stuff on an LCD Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahahaI'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises
And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?
even dlink's support is better.
I agree. KidControl needs major improvement, like the full removal of it.no, KidControl.......which is even more important for you?
maybe another fix LCD?
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.conntrack - significant stability and performance improvements;
YES, We would like to know what exactly was changed?!Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.conntrack - significant stability and performance improvements;
What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.A proper network admin likes watching graphs and stuff on an LCD Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahahaI'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises
And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?
even dlink's support is better.
And Kids control in CCR is something very important! How would you control all of your employees?!?
Ahhh.... The joys of visiting this forum Priceless!
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP serverWith 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.
Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.
The only "custom" DHCP setting I have is - lease time is 7 days.
No trouble with WiFi clients.
Router: AC^2.
It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .
Any tips towards getting Android working would be appreciated.
Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.
Have you already reported your findings to MikroTik support? (support@mikrotik.com)Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP serverWith 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.
Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.
The only "custom" DHCP setting I have is - lease time is 7 days.
No trouble with WiFi clients.
Router: AC^2.
Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?*) conntrack - significant stability and performance improvements;
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx
Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.Hi Mikrotik
Are you aware if Router OS is patched for this threat?
https://www.tomsguide.com/us/zombieload ... 30082.html
So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.Hi Mikrotik
Are you aware if Router OS is patched for this threat?
https://www.tomsguide.com/us/zombieload ... 30082.html
Sent from my Redmi Note 5 using Tapatalk
I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLETry setting the remote-id to ignore.
Check out the src-address-list parameter under mode-config.Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Thanks Emils, I tried that before and now again but it did not change the IP to on out of the range.....O I see there is a new line inserted into NAT. When I use different addresslists I can split horizon...I think.Check out the src-address-list parameter under mode-config.Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
fine! thanks emils We are waiting for a stable branch.
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
Is this a fix for the problem 2018101022007579?*) ccr - improved packet processing after overloading interface;
Which CVE - a new one, or more fixes for the already known ones?*) ipv6 - improved system stability when receiving bogus packets;
When you are working on dhcpv6-client: I would like to see an option in the client so that it does NOT save the obtained information in nonvolatile storage,*) dhcpv6-client - added option to disable rapid-commit (CLI only);
Please confirm this. Thanks*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
[admin@CORE] /snmp community> pr d
Flags: * - default
0 * name="librenms" addresses=::/0 security=private read-access=yes write-access=no authentication-protocol=SHA1 encryption-protocol=AES
authentication-password="mysecretpassword" encryption-password="anothersecretpassword"
Code: Select all
15:37:39 snmp packet(v4) from: 192.168.2.111
15:37:39 snmp v3 user: librenms
15:37:39 snmp,debug unsupported v3 security level
15:37:39 snmp,packet 30 71 02 01 03 30 11 02 04 5b e1 da 3b 02 03 00
15:37:39 snmp,packet ff e3 04 01 07 02 01 03 04 31 30 2f 04 05 80 00
15:37:39 snmp,packet 3a 8c 04 02 01 00 02 01 04 04 08 6c 69 62 72 65
15:37:39 snmp,packet 6e 6d 73 04 0c 7a 37 32 ff d4 32 65 1f 54 e8 1d
15:37:39 snmp,packet 01 04 08 a1 62 da 91 4e 10 b8 7b 30 24 04 05 80
15:37:39 snmp,packet 00 3a 8c 04 04 00 a1 19 02 04 47 a1 60 24 02 01
15:37:39 snmp,packet 00 02 01 00 30 0b 30 09 06 05 2b 06 01 02 01 05
15:37:39 snmp,packet 00
15:37:39 snmp,debug v3 err: 0 unsupported security level
15:37:39 snmp,debug bad packet
Yes, I'm aware of it. Are you referring to this queue?rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
I have it working with mode configs. I made a different setup because I could not use PCC on source port for distribute the traffic over multiple channels.Check out the src-address-list parameter under mode-config.Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
@slackR Did you already open a ticket at Mikrotik Support?I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
Regards,!) user - removed insecure password storage;
This is the final step for this changlog entry from 6.43:Hello Emils,
Could You explain this?Regards,!) user - removed insecure password storage;
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
What's new in 6.43 (2018-Sep-06 12:44):
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Could we get password hashes exported with the user accounts now please? E.g.:!) user - removed insecure password storage;
[admin@gate] > /user export
# may/28/2019 20:15:28 by RouterOS 6.45
...
/user
add comment="system default user" group=full name=admin password_hash=<base64-encoded-hash>
...
Let's hope this is not related to TLS protocol downgrade attacks...*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope it is? Better to find, and close, than to leave it open...Let's hope this is not related to TLS protocol downgrade attacks...*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
+1We ask, We hope, but MiktoTik... is silent...
This issue fixes DoS possibility in Webfig, related to CVE-2011-1473. We will update the changelog, CVE was not included by mistake.*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
In many countries Thu May 30 was a holiday. Some businesses are closed on friday (today) as well.We ask, We hope, but MiktoTik... is silent...
:local ip "XXX.XX.XX.X";
:local con "IKEV2";
:local addressPOLICY [/ip ipsec policy get [find where peer="$con"] value-name=src-address];
:local addressCONTRACK [/ip firewall connection get [find where src-address="$ip"] value-name=reply-dst-address];
:local address ("$addressCONTRACK".""."/32")
:if ("$addressPOLICY" != "$address") do={ /ip firewall connection remove [find where src-address="$ip"]; :log info "Removed $con address $addressCONTRACK who became stuck in connection tracking"};
You need to update your scripts (the logon method). You could have done that earlier.php api login failure at 6.45beta54.
Login failed, incorrect username or password.
please confirm.
thank you. ^^You need to update your scripts (the logon method). You could have done that earlier.php api login failure at 6.45beta54.
Login failed, incorrect username or password.
please confirm.
Great, much appreciated! Can't wait for it...msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Mikrotik support have acknowledged the VTI request, but said it requires a newer kernel.I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Why only in tr069? Export in SNMP too, with all other info.
*) tr069-client - added LTE CQI and IMSI parameter support;
+1One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.
We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.
I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322
Many thanks for your support Mikrotik dev' team !
We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.
Will it also work for "rsa-signature-hybrid"?*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) winbox - do not allow setting "dns-lookup-interval" to "0";
What kind of issue was there actually?Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
+1KWill it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
You can do this :Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)
This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.+1KWill it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
I think the log part need to be rebuild, for betther debugging
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
~85% of our users have Android. then maybe 10% Apple and 5% Windows.That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.+1KWill it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
I think the log part need to be rebuild, for betther debugging
Have you successfully tested this one?Yes, I'm aware of it. Are you referring to this queue?rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Under some occasions, hosts did not timed out correctly. Now bridge will make sure hosts are removed.What kind of issue was there actually?Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.
It would also be handy if we could force delete a published DDNS Record.
Did you try with auto-negotiation disabled?Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3
If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.
Can you fix it?
Thank you.
There is now a wiki-page how to set. I can't place the word 'local' in the last sentence because all is local.Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.
It would also be handy if we could force delete a published DDNS Record.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?
It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).
For dynamic created ones there is naming available in the PPP menu as name. Limit displaying it to a certain amount of characters. Now I have to identify peers by other means because "peer1205 etc." is not much to go on in relation to the used names in PPP.The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.
Thanks
Statistics counters for IKEv1 with no unique ID's will be fixed shortly.
That was belonging to the picture and as long there is a unique identification in the background I am happy.Not sure what you meant with the third paragraph. Can you clarify?
It looked already familiar to me being multple My-ID pressent and I have never any content in there. I am only using it as client so this may be for server.
There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.
I try it. No effect.Did you try with auto-negotiation disabled?Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3
If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.
Can you fix it?
Thank you.
15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk
will be nice to see multiple queues on each port to make QoSFirst time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
Has the download file became corrupt? Is it some problem in this device?Code: Select all15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk
I did it this way and I worked, so I guess either the CDN or the copy in the download site itself got corrupted...You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
It was a very "funny" bug actually - a device added to Dude via Winbox with default settings caused instant 100% CPU load with 50% going to Dude server and another 50% to DNS resolver as Dude was polling it with zero interval.Does anyone knows where to find this setting? I am looking for it for years now.Update:*) winbox - do not allow setting "dns-lookup-interval" to "0";
Found it on a Polish site and it a setting not applying to what I was looking for.
Upload is corrupt - CDN (upgrade.mikrotik.com) serve broken files:Has the download file became corrupt? Is it some problem in this device?
# ls -1las routeros-mipsbe-6.45beta62.npk-*
12056166 Jun 14 08:28 routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
11583488 Jun 14 08:31 routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com
# md5sum routeros-mipsbe-6.45beta62.npk-*
d7b9284935f8123cbf4df0c735c995c3 routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
637a0bbb58bb0a3012ae9289dc9e7cbc routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com
HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files
I can connect to a vpn server in windows using ikev2 with username and password only, can this work on routeros?Version 6.45beta62 has been released.
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
In windows, it needs username and password only.Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
emils How can I find which certificate is used? thanks!msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.
Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.
mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
The website says it should be:MD5 (routeros-mipsbe-6.45beta62.npk) = 637a0bbb58bb0a3012ae9289dc9e7cbc
MD5 routeros-mipsbe-6.45beta62.npk: d7b9284935f8123cbf4df0c735c995c3