Community discussions

MikroTik App
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

IPsec DPD collision and reply ignored

Thu Nov 17, 2022 1:48 am

Hi folks,

I am running into a issue and your input would be much appreciated. To make it simple, I have 3 MT routers with GRE/IPsec (IKev2) tunnels in a triangle.
router A: RB3011, ROS 7.5, static public IP address
router B: RB3011, ROS 7.5, static public IP address
router C: LDF LTE6kit, ROS 7.5, dynamic public IP address with CG-NAT

Tunnel A-B is rock solid and works like a charm
Tunnels A-C and B-C (the ones terminated on the LDF LTE6kit) also work great for over 24 hours, but after a day or so, they "freeze" and I see the following error messages in the logs on both ends endpoints:
ipsec: dpd collision
[...]
ipsec,debug: reply ignored

If I flush the SA manually (on either end), a new SA establishes and the GRE tunnel comes up immediately. It is worth mentioning that the last public IP change on the router C was over 30 hours ago, so this can be ruled out as a possible cause.

I ran into this post here: viewtopic.php?p=543834 but it hasn't been followed up. Indeed, I have set up DPD on IPsec (interval=5, max failures=3). IPsec SA Lifetime is set to 1hour.

Could you give me some insights about the 2 error messages ("dpd collision" and "reply ignored"). I can't rule out that my DPD settings are non optimal. I have to admit that it is the 1st time I set up an Ikev2 Ipsec in production environment. So I took over most settings from my old ikev1 configs... :-?

Cheers!

PS: I don't think posting my configs here would bring any benefit (yet), for the moment these are more conceptual questions/global recommendations.
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: IPsec DPD collision and reply ignored

Mon Dec 05, 2022 12:21 pm

The error messages vanished after I checked and adapted the MTU on all GRE interfaces (no errors for over 2 weeks). I don't really understand why MTU settings would trigger a DPD error, but it works now, that's the most important thing.
 
gt4a
just joined
Posts: 18
Joined: Mon Sep 14, 2015 11:14 am

Re: IPsec DPD collision and reply ignored

Wed Mar 01, 2023 8:08 am

came from google with same error, dpd=3 works in routeros v6, after upgrade to v7, ipsec with ikev2 fails.

change dpd to 5 fixed the issue.

thank you for your post.

Who is online

Users browsing this forum: akakua, anav, Bing [Bot], ItchyAnkle, Lumpy, menyarito and 90 guests