Community discussions

MikroTik App
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

How to flush connection in a failover route change ?

Tue Jun 28, 2022 6:52 pm

Main 0.0.0.0/0 route points to a virtual GW checking (ping) recursively two internet hosts.
Secondary 0.0.0.0/0 route (distance 2) becomes active when the first one fails, but active connections are still hung on primary route , preventing navigation.
Of course manual connections flush does the trick.

What's the best way to do it automatically ??
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to flush connection in a failover route change ?

Tue Jun 28, 2022 7:57 pm

Of course the command to flush connections would be "/ip firewall connection remove [find]".
But the tricky part is how to call that when a failover configuration like that has been done. I don't think you can call a script on failure.
(of course you can install an additional netwatch to do it)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Tue Jun 28, 2022 9:12 pm

Do not remove or alter the timeout condition value
/ip fire conn
:foreach idc in=[find where timeout>60] do={ remove [find where .id=$idc] }
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:13 pm

Can you verbally describe what the script is doing at each step, uncode it in PLAIN italian.......... (then will reverse engineer it in English ;-) )

And note that I have no idea what /ip fire conn refers too............
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:31 pm

Italian is not involved, simply english...

/ip firewall connection
:for each id_of_connection inside the results obtained from research [ find where timeout value is major of 60 ] do remove all the connections where the ids are equal to id_of_connections obtained

and NOT,
this is NOT equal as
/ip firewall connection remove [find]
or
/ip firewall connection remove [find where timeout>60]
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:34 pm

No point in flushing TCP connections as they'll eventually die out anyway for the lack of response - and if there was no NAT, flushing would not be necessary. UDP connections and/or ping "connections" are another thing, as those updated from the LAN side will survive forever unless you remove them.

So rather than selecting the ones to be removed by timeout, I'd choose them on reply-dst-address. You don't need the foreach cycle as suggested by @rextended unless you want to avoid a load peak on the CPU - /ip firewall connection remove [find where protocol=udp reply-dst-address~"ip.of.inaccessible.wan"] will remove them all, of course using a cycle, but an internal, and therefore faster, one.

But as others have already stated, there is no event related to state change of a route, to which you could hook the execution of the script. So /tool netwatch is one possibility (with some non-obvious limitations), /system scheduler is another one. With the scheduler, you have to check the route state at every run, so the full script would look somehow like :if ([:len [/ip route find where gateway=x.x.x.x dst-address=0.0.0.0/0 active]]=0) do={/ip firewall connection remove [find where protocol=udp reply-dst-address~"ip.of.inaccessible.wan"]}, and you can even place it directly into the on-event parameter of the /system scheduler row.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:40 pm

Already considered and made for
viewtopic.php?f=13&t=176956&p=868082#p870786
:global newIP [:tostr $"local-address"]

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$newIP))] do={
 remove [find where .id=$idc]
}
But with too few details, as usual, I cannot adapt it to this user request without any data...

In this case, if IP obtained are the same, do nothing, if IP obtained is different, drop all "invalid" tracked connection (that have timeout major to 60 seconds)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:46 pm

No point in flushing TCP connections as they'll eventually die out anyway for the lack of response
On RouterOS default configuration is 1 day timeout for estabilished TCP, unacked TCP 5 minutes, for other TCP status are usually 10 seconds...
On UDP Streams default configuration is 3 minutes
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 8:54 pm

Correct, my point is that the TCP client will drop the session on timeout and use another port to create a new one, so the fact that the tracked connection related to the old session still exists doesn't prevent the new one from establishing. So removing TCP connections just helps speed a little bit (faster search) but doesn't prevent new ones from succeeding, in contrary to the UDP and ICMP echo case.
Last edited by sindy on Wed Jun 29, 2022 9:09 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 9:00 pm

Yes, I do not want to object :P
I want just say that on the device that I configure, estabilished timeout are reduced to 10 min, udp to 2 min and unacked to 1 min.
At current internet speed is absurd to wait 5 min to a reply and 1 day to a single packet to pass.......
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 9:04 pm

try modifying connection tracking timings to make broken connections expire sonner
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to flush connection in a failover route change ?

Wed Jun 29, 2022 9:08 pm

at this time ,better wait @ik3umt reply, assuming he answers....
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

Re: How to flush connection in a failover route change ?

Fri Jul 01, 2022 8:44 am

at this time ,better wait @ik3umt reply, assuming he answers....
Thanks for replies,

Not sure what reply you're expecting from me..... :o

Just as said, that failover technique works fine, connection on failover route is immediately available but (tcp,udp, etc) old connections are stuck on waiting/sleeping, so no internet for current LAN users (except for new connections) despite backup route is up

I'm just finding the IMMEDIATE way to automatically restart all current connections toward new route (and IMMEDIATELY back on main one when it becomes available again).

Unfortunately I can't netwatch the virtual recursive host as it doesn't respond to ping,
I could netwatch real internet hosts under test ( 1.1.1.1 , 8.8.4.4 etc) but a single lack of packet doesn't necessary mean main route failure.

I think the problem is not in what the script will do (what to flush) , instead, by what i recall the script..... basically, how to detect routes switch
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to flush connection in a failover route change ?

Fri Jul 01, 2022 10:45 am

Not sure what reply you're expecting from me..... :o
Not sure what @rextended was expecting, but for me this narrowing the question down to the only part you are really missing did make sense.

However, it does not change anything about what I've already written. Currently, the only asynchronous events you can hook a script to are DHCP lease state change, PPP interface state change, and VRRP interface state change. Neither of those can be related to a route state change in any useful way (leaving aside the crazy idea of establishing a PPP tunnel solely for the purpose of monitoring link state, which would introduce an additional delay anyway).

Netwatch state change cannot be considered an asynchronous event in terms that it detects the state change of the route with some delay due to the nature of its operation. In fact, the failover based on recursive next-hop search also doesn't detect the outage immediately, the check-gateway pings are hardcoded to a 10-second periodicity. And you cannot synchronise netwatch or scheduler to those intervals so that they could check the outcome immediately after the check-gateway test has ended. So a periodically scheduled script is currently the only option - you check the route state every second and take action if it is down.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to flush connection in a failover route change ?

Fri Jul 01, 2022 11:47 am

Netwatch is currently becoming a bit better in v7 (from v7.4beta5) but still it has lots of issues as described above.
You could file a feature request to have a state-change script call for checked routes, that would be useful for others too.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

Re: How to flush connection in a failover route change ?

Fri Jul 01, 2022 6:15 pm

Well...I'm actually starting from scratch with the lab routerboard ad two WANs
When the first route fails I can use the failover one within few seconds (and few page refresh on various browser) , acceptable at all :shock:
I came to ask this thread because I experienced systems in which was impossible to use browser for minutes (or at least until a manual connections flush).
Weird....I hope not to waste your time for some unknown issues other than a normal connection timeout/refresh.....

Who is online

Users browsing this forum: Amazon [Bot] and 24 guests