Community discussions

MikroTik App
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 114
Joined: Tue Apr 01, 2014 11:11 pm

PH2 State script

Sat Mar 20, 2021 2:11 pm

Good morning,

I would like a script that checks the PH2 state of a specific policy and if it finds it at no phase2 it will disable and re-enable it.

I am having an issue where one of my policies if for any reason gets interrupted it goes to no phase2 and the only way it comes back online is to disable and re-enable it so
until i figure out why, a script to do this for me would be handy.

I have no experience in scripting whatsoever.

Thanks in advance.
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: PH2 State script

Sat Mar 20, 2021 6:25 pm

Hi,
you can try this code.
I use the main part of this code just to inform me when PH2 is down, but in this case I modify it to disable, wait 10 sec and re-enable the policy.
Give it a try.
:foreach i in=[/ip ipsec policy find where action!=discard] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}
Last edited by accarda on Sat Mar 20, 2021 8:55 pm, edited 1 time in total.
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 114
Joined: Tue Apr 01, 2014 11:11 pm

Re: PH2 State script

Sat Mar 20, 2021 8:20 pm

Hi,
you can try this code.
I use the main part of this code just to inform me when PH2 is down, but in this case I modify it to disable, wait 10 sec and re-enable the policy.
Give it a try.
:foreach i in=[/ip ipsec policy find where action!=discard] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$1
		}
	}
}
Thank you for your answer

I am getting invalid value for argument numbers when i load it via terminal to test it.
It disables a standby policy that i have which i don't want it disabled and keeps it disabled.

Is there a way to point to a specific policy that i want checked other than all of them by comment name let's say?
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: PH2 State script  [SOLVED]

Sat Mar 20, 2021 8:46 pm

OK,
so then use this modified version:
:foreach i in=[/ip ipsec policy find comment="put_your_comment"] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}
Add your comment within those "" and you will be good. Just choose a simple comment, just one word.
let me know if this one works better for you.
Anyway put this code into a script (create /system script) for it to work.

P.S: the previous code failed to re-enable because I made a typo in the variable $i, which became $1 (that does not exist of course), hence the improper value. Now in this snippet you wil get the proper variable name, so it will disable and re-enable the policy after all.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: PH2 State script

Sat Mar 20, 2021 9:21 pm

One problem... sometimes we see for few seconds not established state.. what is normal and this script can be too brazen/aggressive.
Some latency and again testing will be perfect.
Additional note, some Policies can be together at one peer and that script can do few additional action.

This topic is interesting because I see similar problems with some IPSec tunnels.
Sometimes we must re-enable policies, proposals, remove active peers and sometimes disable PH1&2 IPSec for 5m and then enable it. Those 4 type of actions works on differ problems.

My last problem with IPSec is here: IPSec PH2 "ready to send" without Active Peer, User cannot connect, Win10 #809 or #0
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: PH2 State script

Sun Mar 21, 2021 9:04 am

Hi SiB,
yes also with the script that I'm using on my router (which is mainly sending telegram msg to inform about some issue with PH2) gets triggered even though IPSec tunnel is active and working.
Of course in term of scripting it all depends how often you run it, chances that you catch one of those glitches could be high for a high frequency detection mode.
I have a stable VPN tunnel with another site, and with a previous ADSL link at the main side I was getting once per day PH2 failure. Now after such connection moved to fiber, I don't see many of these alarm, but sometime it still happens. I run the script every 5 sec, so chances that I intercept one of these glitches are there , but I just limit the telegram msg to a certain amount a day, just in case that if IPSec goes down for an extended period of time I won't get flooded with telegrams.
Armando
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 114
Joined: Tue Apr 01, 2014 11:11 pm

Re: PH2 State script

Sun Mar 21, 2021 11:45 am

OK,
so then use this modified version:
:foreach i in=[/ip ipsec policy find comment="put_your_comment"] do={
	:if ($i != "*FFFFFF") do={
		:local state [/ip ipsec policy get $i value-name=ph2-state]
		:if ($state != "established") do={
			/ip ipsec policy disable number=$i
			:delay 10
			/ip ipsec policy enable number=$i
		}
	}
}
Add your comment within those "" and you will be good. Just choose a simple comment, just one word.
let me know if this one works better for you.
Anyway put this code into a script (create /system script) for it to work.

P.S: the previous code failed to re-enable because I made a typo in the variable $i, which became $1 (that does not exist of course), hence the improper value. Now in this snippet you wil get the proper variable name, so it will disable and re-enable the policy after all.
Works a treat my friend.

Thank you very much...

I will also save your first version with the corrected $1 as it checks all the policies it might also come in handy someday.

Thanks again
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: PH2 State script

Sun Mar 21, 2021 12:16 pm

Good to hear this.
Actually I have fixed the typo in the original snippet, so you can copy/paste also from here to get the whole working code.
In my original code the foreach, which gets the policy except those with action "discard", is because I have a policy to avoid L2TP staying up when no IPSec. But it should not interfere with your case if you don't have such thing.
Also the first IF avoids to take the default template policy with that *FFFFFF filter.

Armando
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: PH2 State script

Wed Mar 24, 2021 2:44 pm

It can be easier write:
foreach i in=[/ip ipsec policy find !template ph2-state!=established comment="put_your_comment"] do={
  ip ipsec policy disable number=$i
  delay 10
  ip ipsec policy enable number=$i
}


Sometimes without traffic tunnel can be not used and have state expired and any traffic will recover established. The expired is not bad for duing breake connections.
Real problems with tunnel is where:
ip ipsec  policy print where ph2-state!=expired ph2-state!=established !template !active 

Most cases the best parameters are: !active !template

Who is online

Users browsing this forum: No registered users and 18 guests