Community discussions

MikroTik App
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

force Cisco VPN downfall

Thu Apr 29, 2021 6:44 pm

Good afternoon everyone

i need some help with some scripts i created, it works but not very well.

I'll explain the scenario

Behind the Mikrotik I have a Cisco 891, which closes a VPN with our central, but sometimes this VPN falls, and in the Mikrotik in (IP> Firewall> Connections), the Cisco local network begins to appear.

For this metoto I am validating that the Cisco VPN is active or not.

And with that information I try to take down the VPN for him to make a new request.
########################  Check-VPN - 5M (ENABLE) ########################

:local CISCO "ether10 - Cisco"
:local DELAY "30s"
:global CHECKVPN true
:global CONTVPN
:global CONTREBOOT1


:if ($CONTVPN >= 20) do={
	:set CONTREBOOT1 ($CONTREBOOT)
	:set CHECKVPN false
	:set CONTVPN 0
	/system scheduler enable AlternIP; delay 5s
	:log warning "Check-VPN > AlternIP ENABLE"
	/interface ethernet set $CISCO disabled=yes ; :delay 120s; /interface ethernet set $CISCO disabled=no
	/ip firewall connection remove numbers=[find protocol="ipsec-esp"]
	/ip firewall connection tracking set enabled=no; :delay $DELAY; /ip firewall connection tracking set enabled=yes
	/ip dns cache flush
	:log warning "Check-VPN > Restart Interface $CISCO"
	:set CONTREBOOT ($CONTREBOOT1)
} else {
	:while ($CHECKVPN) do={
		:set CONTVPN ($CONTVPN+ 1);
		:delay $DELAY;

		:if ([:len [/ip firewall connection find src-address~"11.76." ]] > 0) do={
			/system scheduler enable Clean-Connections
			:log warning "VPN DOWN"
			:log warning "Check-VPN > Clean-Connections ENABLE"
		} else {
			:set CHECKVPN false
			:set CONTVPN 0
			/system scheduler set Check-VPN interval=4m
			:log warning "VPN OK"
		}
	}

}

######################## Clean-Connections - 1,3M  (DISABLE) ########################

:global REBOOT true
:global CONTREBOOT

:if ([:len [/ip firewall connection find src-address~"11.76." ]] > 0) do={
	/ip firewall connection remove numbers=[find src-address~"11.76."]
	/ip firewall connection remove numbers=[find src-address~"10.20.30."]
	/ip firewall connection remove numbers=[find src-address~"192.168.1.5"]
	/ip firewall connection remove numbers=[find src-address~"192.168.1.6"]
	/ip dns cache flush
	/system scheduler enable Reboot
	:log warning "Clean-Connections > Reboot ENABLE"
	} else {
		:set REBOOT false
		:set CONTREBOOT 0
		:set CHECKVPN false
		:set CONTVPN 0
		/system scheduler set Reboot interval=10s; /system scheduler disable Reboot
		/system scheduler disable Clean-Connections
		:log warning "VPN OK"
		:log warning "Clean-Connections > Reboot DISABLE"
		:log warning "Clean-Connections > Clean-Connections DISABLE"
	}
}

######################## Reboot - 10s (DISABLE) ########################

:local CISCO "ether10 - Cisco"

/system scheduler set Reboot interval=60m

:while ($REBOOT) do={
	:set CONTREBOOT ($CONTREBOOT + 1);
	:log warning "Reboot > CONTREBOOT=$CONTREBOOT"
	/system script run LinkDown
	:delay 30s;

	:if ($CONTREBOOT >= 20) do={
		/system scheduler enable AlternIP; delay 5s
		:log warning "Reboot > AlternIP ENABLE"
		/system scheduler disable Reboot; /system scheduler set Reboot interval=10s
		:set REBOOT false
		:set CONTREBOOT 0
		/system scheduler disable Clean-Connections
		/interface ethernet set $CISCO disabled=no
		/system scheduler set Check-VPN interval=1m

		:log warning "Reboot > Mikrotik Rebooted"
		/system script run Mikrotik-Rebooted; :delay 5s

		/system reboot
	}
}

######################## AlternIP - 1s (DISABLE) ########################

:local IPCISCO

:if ([:len [/ip dhcp-server lease find active-address="192.168.1.5" ]] > 0) do={
		:set IPCISCO 192.168.1.6
		/ip dhcp-server lease set [find host-name~"Store"] address=$IPCISCO
		/system scheduler disable AlternIP
		:log warning "AlternIP > SET IP=$IPCISCO"
	} else {
		/ip dhcp-server lease make-static [find host-name~"Store"]
		:set IPCISCO 192.168.1.5
		/ip dhcp-server lease set [find host-name~"Store"] address=$IPCISCO
		/system scheduler disable AlternIP
		:log warning "AlternIP > SET IP=$IPCISCO"
	}
}
 
KayBur
just joined
Posts: 16
Joined: Thu Apr 29, 2021 3:33 pm
Location: Springfield

Re: force Cisco VPN downfall

Fri Apr 30, 2021 4:23 pm

But what if you write a script for automatic VPN reconnection to compensate for the time spent on manual reconnection?
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

Re: force Cisco VPN downfall

Fri Apr 30, 2021 8:02 pm

the problem is that we do not have access to the cisco, and sometimes his VPN crashes.

Who is online

Users browsing this forum: No registered users and 25 guests