Community discussions

MikroTik App
 
User avatar
panisk0
newbie
Topic Author
Posts: 25
Joined: Sun Mar 06, 2016 10:36 pm
Location: Cracow
Contact:

SSTP Mikrotik Client / probably bug 6.41.3

Fri Apr 06, 2018 4:40 pm

I'm using sstp to connect two networks. I noticed that if some time the operator link flaps, the sstp client does not want to connect even if the link starts working correctly. The solution is to remove the sstp client and add a new one with identical parameters or restart the client's router. Appears on several clients from different locations. Any ideas?

main router log
15:34:12 sstp,ppp,info,account sXs logged in, 172.1.55.6
15:34:12 sstp,ppp,info sstp-sXs: authenticated
15:34:12 sstp,ppp,info sstp-sXs: terminating... - nonce not matching
15:34:12 sstp,ppp,info,account sXs logged out, 0 0 10 0 1
15:34:12 sstp,ppp,info sstp-sXs: disconnected

client router log
15:36:15 sstp,ppp,info sstp-sXs: connecting...
15:36:17 sstp,ppp,info sstp-sXs: authenticated
15:36:17 sstp,ppp,info sstp-sXs: terminating... - aborted by peer
15:36:17 sstp,ppp,info sstp-sXs: disconnected
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Fri Nov 09, 2018 1:41 pm

It just happened to me on one of my SSTP VPNs with version 6.34.4.

I get the same error in the logs. 'nonce not matching'
 
andrei
newbie
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: SSTP Mikrotik Client / probably bug 6.41.3

Tue Nov 13, 2018 3:47 pm

Same here. It seems to be a bug..
 
MoneyTalks
just joined
Posts: 2
Joined: Sun Jan 18, 2015 10:40 am

Re: SSTP Mikrotik Client / probably bug 6.41.3

Sun Jan 06, 2019 4:31 pm

me too with 6.43.8, I have to reconfig the sstp client and it's running now.
 
AndyW
just joined
Posts: 2
Joined: Mon Sep 07, 2020 3:23 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Mon Oct 19, 2020 11:41 am

I also have this issue with v6.42.9 on the VPN terminator running on a CHR and v6.44.5 clients running on a variety of Mikrotik hardware. The quickest way for me to resolve it was to remove the client VPN and then undo the change:
/interface sstp-client print
/interface sstp-client remove 0
/undo
Disabling and re-enabling the link did not seem to make a difference. Rebooting the client also worked. I am considering putting the above into a script but wanted to see if there was a better solution. We have several SSTP VPNs acting as site to site VPNs, the majority of which are stable. It seems like the issue is caused by instability of the underlying connection (All but one VPN that has exhibited this issue has been on a 3G or 4G link that is heavily utilised) however once the issue starts, it rarely seems to resolve itself without manual intervention. So far I have not found a way to fix this centrally, if I disable the user account then I get login errors but as soon as I re-enable the account, it goes back to the same error message.

I don't know if it is a coincidence but it seems like only one or two VPN clients have this issue at any one time. We had a lot of problems with one particular link that needed restarting every day but since another link has started having the problems, the first link has been stable.

Has anyone been able to resolve this issue or can offer any advice?
 
vogtdominik
just joined
Posts: 16
Joined: Fri Mar 22, 2019 2:39 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Tue Mar 23, 2021 11:24 am

Happens to me us well.

Server 6.46.7 CHR
Clients 6.46.7 MIPSBE at least, not sure if this happens to ARM as well.

We are running CHR VPN Server on Digitalocean and during their maintenance our VPN-Servers always need to be babysitted.

MIKROTIK PLEASE FIX THIS!

@AndyW: We are using a secondary VPN via l2tp/ipsec if the first SSTP VPN fails.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6694
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: SSTP Mikrotik Client / probably bug 6.41.3

Wed Nov 03, 2021 10:00 am

I know this is quite old post...
In case you are experiencing the same issue accidentally. We can offer your test build for this issue. Let us know if you are interested.
 
AndyW
just joined
Posts: 2
Joined: Mon Sep 07, 2020 3:23 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Thu Nov 04, 2021 10:27 am

Hi Sergejs,
I am happy to try out a test build for this. We have done some more testing ourselves as we have rolled out about 40 of these links. It seems that very often the mobile phone network connection is not very good. Because of this the connection often connects and disconnects. Initially we had the SSTP links open on port 443 to the Internet but this seemed to cause problems as the port was often scanned as if it was a web server. To change this, we connected to the Mikrotik through an Nginx reverse proxy. It is this setup that seemed to cause the most problems with the nonce not matching errors. Since then we have moved the links to using a high level port and this seems to work OK. We have also set the sites to use two SSTP tunnels, one on the main router and a second on the 4G router with the primary route being over the main router rather than the 4G link. The site that caused us the most problems now uses a fiber MPLS link rather than SSTP so it is just our management connections that still use SSTP. I have also been looking into L2TP over IPSec as suggested by vogtdominik. I think this will also help with the links dropping because of poor mobile signals.

I do like the simplicity of the SSTP links with mutual TLS certificate based authentication which is simpler than IPSec so it would be nice to be able to use it with confidence. All our sites are remote but because we now have a management connection via the main router, it should not be a problem to put new firmware on the 4G router and connect that back to a separate VPN server for testing. The 4G routers are all RBwAPR-2nD devices. The central server is a CHR running on KVM so we can create another instance for testing. As mentioned before, we have not had the issue since we stopped using the Nginx reverse proxy so maybe we are not the best candidate for testing with but I am happy to help if I can.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6694
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: SSTP Mikrotik Client / probably bug 6.41.3

Fri Nov 05, 2021 11:53 am

Andy, here you will find mipsbe package for SSTP fix,
https://box.mikrotik.com/d/dafb3cf8e9994dde8dfb/
In case you are able to reproduce the issue frequently, it would be great you can share your feedback with us.
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: SSTP Mikrotik Client / probably bug 6.41.3

Thu Feb 03, 2022 10:53 am

Has this been fixed in any of the newer releases yet?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6694
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: SSTP Mikrotik Client / probably bug 6.41.3

Thu Feb 03, 2022 10:55 am

Are you able to repeat this issue on your side?
In case you are able we can provide you with the latest beta to test.
 
JacquesLaG
just joined
Posts: 3
Joined: Fri Apr 19, 2019 11:26 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Sun Feb 20, 2022 9:45 am

Hi Sergejs,
Currently my hAPac2 (arm) is on version v6.48.6 (routerboard update is also at v6.48.6)
The SSTP server is running on it.
A remotely located SXTsq5lite is trying to connect. I'm not sure of the software version (new out of the box unit, no updates were done on it)
I have 85 active correctly functioning SSTP connections to the same hAPac2.
Please let me know which information I can send to help the situation?
 
SpiritVII
just joined
Posts: 6
Joined: Thu Jan 21, 2021 9:30 am

Re: SSTP Mikrotik Client / probably bug 6.41.3

Tue Feb 22, 2022 3:55 pm

Hi, same behavior on CHR

(the delete+undo trick is working...)
 
bcmdevtl
just joined
Posts: 14
Joined: Sat Mar 27, 2021 2:40 am

Re: SSTP Mikrotik Client / probably bug 6.41.3

Tue Jun 21, 2022 5:52 am

Hello Sergejs,

We are experiencing the same issue on our end, running CHR on 6.48.6 and RB951Ui-2HnD on about 100 sites.
The "nonce not matching" appears after some time, rebooting the router solves the issue for us, then after a while it is back.
Time from reboot until the issue appears could be anything from a day, to a week or two, we've put in place a monthly reboot as a minimum.
We do have some routers we can access even with the SSTP down as they are on static public IP, would be happy to do a remote session with your team if possible to take a look the next time we have a remote in this state.

I know we are running an older version as we are sticking with the long term versions, is there a newer version where you believe this issue has been addressed?

Thanks in advance
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Mon Aug 08, 2022 8:34 pm

I have experienced it for the first time today, on a wAP ac LTE kit (arm) running 6.47.10 (server is an hAP ac2 running 6.48.6). The remove + undo on the client worked. I assume it surfaced due to a seasonal overload of the LTE sector where the wAP ac is connected. To be seen yet whether it happens again. If it does, is the test build available in 6.x? It's 600 km away with no one qualified enough to run netinstall nearby.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP Mikrotik Client / probably bug 6.41.3

Mon Aug 08, 2022 8:58 pm

A known issue not yet resolved since 2018? It seems your stating that a wifi saturation issue is causing the SSTP connection to get buggered up?
Seems to be a theme here with security protocols and what happens when a disconnection occurs, NO GRACEFUL recovery................ lacking robustness in software coding.
 
User avatar
mojiro
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Sun Jul 24, 2005 9:21 pm

Re: SSTP Mikrotik Client / probably bug 6.41.3

Mon Mar 18, 2024 12:49 pm

It happens that I have the same issue with some old installations that I cannot risk upgrading due to the fact that they are remote installations.

My SSTP Server runs on 7.14.1, while those remote clients are using from 6.23 to 6.43.2. The issue is random, and the only permanent solution was to disable the Certificate from the server.

That means no security over a "secure" VPN, but they will remain connected.. ¯\_(ツ)_/¯
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP Mikrotik Client / probably bug 6.41.3

Mon Mar 18, 2024 1:36 pm

Or time for a trip, sooner or later having remote devices means a trip. With wireguard and ver7 software probably soon.
It should be a built in plan to any IT equipment anyway.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 87 guests