Community discussions

MikroTik App
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

How to maintain an always-on VPN.

Sat Dec 17, 2022 5:24 pm

I have a connection to a free vpn that works very well, but has the odd bug of randomly disconnecting after about 8 hours. I tried to create a little script in netwach by pinging the gateway of the vpn, but that only works once, then the IP of the gateway changes and netwacth doesn't work anymore; and the vpn connection gets disconnected. I ask if you know a script or other trick to keep the vpn connection always on ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19102
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to maintain an always-on VPN.

Sat Dec 17, 2022 7:14 pm

Look for some ideas here.. PARA 6 - viewtopic.php?t=182340
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sat Dec 17, 2022 7:28 pm

@anav
hello,
I have ros 6.48.6 ; dinamic ip, and a fairly stable 300/100 LTE connection.
The vpn only allows SSTP or IKE2 it is very fast it has low latency but it disconnects random I think it is not due to a wrong configuration because the provider has published a specific setting page for mikrotik routers .In your nice guide I did not find anything though , that I can adapt to my situation and keep the connection active.
P.S. if I connect directly to the VPN with network manager on the computer the connection almost never drops and recovers in case of disconnection
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sun Dec 18, 2022 1:40 pm

I managed to make this script which I put in scheduler in 1 minute cycles , but it doesn't work well because it reactivates the vpn as soon as there is no traffic but the vpn didn't disconnect.
    /interface monitor-traffic sstp-out1 once do={
        :if ($"rx-packets-per-second" = 0 ) do={
                    /interface set sstp-out1 disabled=no ;
                    
                } 
            }
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: How to maintain an always-on VPN.

Sun Dec 18, 2022 3:16 pm

@anav
I have ros 6.48.6 ; dinamic ip, and a fairly stable 300/100 LTE connection.
I also need to use a LTE connection sometimes and it disconnects every once in a while, especially when I download files.
So, it may have nothing to do with ROS and your VPN, but with your LTE connection.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sun Dec 18, 2022 3:25 pm

@broderick,
I rarely have disconnections ,even when downloading at full speed( I have a script that constantly checks the gateway). The problem is only for the vpn I would need a system that monitors the traffic and if during a predetermined time this fails it restarts the vpn.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Fri Dec 23, 2022 10:26 pm

With some mobile ISPs, disconnection every 8h is a normal behaviour. It can take up to two minutes to re-establish. With other mobile ISPs, the connection stays up for several weeks.

Regardless whether that's the root cause of the VPN disconnections or not, one possibility to speed up the failure detection is to ping something else than the gateway via the VPN; if this is not possible, you can use the on-up script in the /ppp profile you use for the /interface sstp-client to update the host on the /tool netwatch row. The scheduled script can also make a test ping if the traffic monitor shows no traffic - :ping returns the number of successful pings as a value, so :if ([:ping x.x.x.x count=3] = 0) do={/interface sstp-client disable [find]; /interface sstp-client enable [find]} should prevent the false positives.

With IKEv2, there is no on-up script, nor is there any gateway, so you have to ping something else in any case.

What surprises me is that you mention "fast" and "SSTP" in a single sentence - between two hAP ac2, an SSTP VPN gave me some 2 Mbit/s whereas IKEv2 between the same two hAP ac2s is maxing out the 20 Mbit/s bandwidth of the last mile links.

Wherever I use SSTP, it takes it 10 minutes to detect a failure and restart automatically. For IKEv2, the dpd-interval and dpd-maximum-failures in /ip ipsec profile are configurable.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 12:12 pm

hello sindy,
I did not quite understand what to add in netwatch since the 'address of the host sstp is dynamic and therefore changes with each connection, I messed around a bit with the script :if ... but I did not get anything.
As I wrote the vpn is free and I think the disconnection is due to some random interruption on the server side, as for the speed for me is more than enough since I have to use it sporadically from a single device of my lan and not redirect the 'entire traffic on it.
sstp.png
P.S. I found out that there is an .ovpn configuration file available that placed in ubuntu's networkmanager works very well. Do you know if RoS(6.48.6) accepts .ovpn files?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 2:30 pm

It might good to understand how long it take SSTP and/or IKEv2 to recover WITHOUT a script? e.g. is it taking minutes vs never coming back might indicate different problems. As @sindy points out, SSTP may be slow to recover, but it recovers & IPSec/IKEv2 have a lot of knobs to tweak that might avoid a script (and also should recover without script).

Without understand why/what/how is getting disconnected, it hard to know what you'd need to script (and where to put it e.g. schedule, netwatch, ppp profile, etc.). I'd recommend looking at the logs (and add more logging if it doesn't show anything when this happens) before getting to cut-and-paste recovery scripts.

Since two VPN exhibit this problem, I'm not sure a third OpenVPN be any different - but perhaps... I'd focus on making IKEv2 work as RouteOS has good support for that. If LTE is actually disconnecting, then VPN recovery time is additive with the LTE reconnection time.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 3:13 pm

@Amm0,
  • If I connect to the vpn through ubuntu the connection never drops (I tried from 7 to 24) if I make a connection with Ros instead it can remain active 4-5 hours and sometimes a few half hours or 1 hour.
  • When the connection drops the connection does not recover more I waited a day but nothing happens. In the log does not report anything in particular if not the 'indication of connection and disconnection of the peer.
  • I can try to put the logs in the firewall to get some more information.
.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 4:22 pm

Clearly something not going right on the Mikrotik... Your PC works to same VPN & while LTE may have a hiccups, your talking about waiting hours/days for VPN recovery.

While your VPN provider's example config may be okay, it possible it's not correct for your config/version/etc.

SSTP should have reconnected, perhaps not quickly, but not hours/never (if internet up /VPN allowed). But something like if "Dial On Demand" was set in SSTP when you tested, that's the reverse of "always on" which could also explain your problem. IKEv2 has a lot more chance for config error (e.g. IPSec and firewall and IPs all have to align to work), but again it should stay up once it was connected/working. It likely would have faster recovery time and better throughput - at the expense of complexity.

If you post your config, you might more eyes on the problem, see viewtopic.php?p=908118
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 5:48 pm

@Amm0,
On the RB3011 I had a l2tp connection that worked for several years without problems and always rebooted automatically.
Now with the sstp my problem is only to restore the connection because it NEVER reactivates automatically.
This below is the manual procedure that I followed and that has only the defect of never reactivating ....
  :global username "USERNAME"
:global password "PASSWORD"
:global range "10.0.0.108/32"
:global hostname "nl.hide.me"

/interface sstp-client add authentication=mschap2 connect-to=[:put $hostname] disabled=no name="hide.me SSTP" password=[:put $password] profile=default-encryption tls-version=only-1.2 user=[:put $username]

/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=SSTP passthrough=yes src-address=[:put $range]

/ip firewall nat add action=masquerade chain=srcnat out-interface="hide.me SSTP"

/ip route add distance=1 gateway="hide.me SSTP" routing-mark=SSTP

:set hostname "";:set password "";:set username "";:set range "" 
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 7:58 pm

Fair enough. Their config looks okay to me – all defaults other than auth stuff. And the auth stuff pretty sure they'd know what they support ;).

But from your logs it does look like it's trying, just not connecting. If you add a bit more logging, might give us a clue as to why. This will cause debug-level logging of SSTP:
/system logging add topics=sstp,!packet
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 9:29 pm

This is the startup log , I will post below the one when it crashes,
 Dec 26 12:58:27 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 12:58:27 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 12:58:28 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 12:58:29 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP opened
Dec 26 12:58:30 x.x.x.x logger sstp,ppp,info sstp-out1: connected
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP closed
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 14:27:30 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - connection timeout
Dec 26 14:27:31 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 14:27:31 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 14:27:31 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 14:27:31 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 14:27:31 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 14:27:34 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 14:27:34 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 14:27:35 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 14:27:37 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 14:27:38 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP opened
Dec 26 14:27:38 x.x.x.x logger sstp,ppp,info sstp-out1: connected
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP closed
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: CCP close
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: BCP close
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,info sstp-out1: terminating... - connection timeout
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,info sstp-out1: disconnected
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,info sstp-out1: initializing...
Dec 26 16:58:39 x.x.x.xlogger sstp,ppp,info sstp-out1: connecting...
Dec 26 16:58:46 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 16:58:46 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP open
Dec 26 16:58:47 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 16:58:48 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,info sstp-out1: authenticated
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: BCP open
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: CCP open
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,debug sstp-out1: IPCP opened
Dec 26 16:58:49 x.x.x.xlogger sstp,ppp,info sstp-out1: connected
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP closed
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 18:16:49 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - connection timeout
Dec 26 18:16:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 18:16:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 18:16:50 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 18:16:51 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 18:16:51 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 18:17:01 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 18:17:01 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 18:17:02 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 18:17:03 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP opened
Dec 26 18:17:04 x.x.x.x logger sstp,ppp,info sstp-out1: connected
Dec 26 20:08:22 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:08:22 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:08:23 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:08:24 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:08:25 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:08:31 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:08:31 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:08:47 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:08:47 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:08:49 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - terminated by remote peer
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:08:50 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:09:00 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:09:00 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:09:22 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:09:32 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:09:32 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:09:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:09:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:09:36 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:09:46 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:09:46 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:10:05 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:10:15 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:10:15 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:10:16 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:10:16 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:10:17 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:10:19 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:10:29 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:10:29 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:10:30 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:10:30 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:10:31 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:10:32 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:10:33 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:10:43 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:10:43 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - could not resolve name
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:10:53 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:11:03 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:11:03 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:11:18 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:11:28 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:11:28 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:11:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:11:50 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:11:51 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:11:52 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:11:53 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:12:03 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:12:03 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:12:07 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:12:07 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:12:08 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:12:09 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerup
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP open
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP open
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerup
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP open
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: received unsupported protocol 0x8057
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP closed
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP down event in starting state
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP down event in starting state
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: CCP close
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: BCP close
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP close
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP close
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: MPLSCP close
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,info sstp-out1: terminating... - aborted by peer
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerdown
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP down event in starting state
Dec 26 20:12:10 x.x.x.x logger sstp,ppp,info sstp-out1: disconnected
Dec 26 20:12:20 x.x.x.x logger sstp,ppp,info sstp-out1: initializing...
Dec 26 20:12:20 x.x.x.x logger sstp,ppp,info sstp-out1: connecting...
Dec 26 20:12:54 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup
Dec 26 20:12:54 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open
Dec 26 20:12:55 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP opened
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,info sstp-out1: authenticated
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP lowerup
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,debug sstp-out1: IPCP open
Dec 26 20:12:57 x.x.x.x logger sstp,ppp,debug sstp-out1: IPV6CP open
Last edited by frank333 on Mon Dec 26, 2022 9:27 pm, edited 2 times in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sat Dec 24, 2022 11:01 pm

Are you using IPV6? Because the SSTP is trying to use it, likely harmless but there is a message about in logs. To disable it, you can change the PPP > Profile for "default-encryption" dialog, under "Protocols" tab, from "Use IPv6" to "no" to disable IPV6.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sun Dec 25, 2022 12:29 am

no, I'm not using ipv6 (I don't even have the package installed), in PPP--->Profiles I can't find the entry for IPV6; however the connection has not been disconnected yet
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sun Dec 25, 2022 12:48 am

no, I'm not using ipv6 (I don't even have the package installed), in PPP--->Profiles I can't find the entry for IPV6; however the connection has not been disconnected yet
American expression: A watched pot never boils.

Re IPv6, The "IPV6CP open" and "received unsupported protocol 0x8057" imply the SSTP is trying to negotiate IPv6 (and likely ignored since you don't have the package). But should be there:

Image

The top line above should be "no". You need to double-click the "default-encrypted". I'd imagine the IPv6 attempt is harmless, but if it drops, you can try that - can't hurt, but may not help.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sun Dec 25, 2022 12:55 am

ppp.png
it gives an error in the logs but it has connected correctly in ipv4 i have an ip 222.x.x.x
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Sun Dec 25, 2022 1:07 am

Hmm. In 6.49.5 (stable) it has the "use IPv6" setting, but your long-term doesn't, curious... But I don't think that your problem - it connects. What happens when it disconnects hopeful be more telling at the problem here.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Sun Dec 25, 2022 1:37 am

nothing won't disconnect, I'll start again in the morning if the log buffer is totally full ,for now thanks for the support :)
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 11:52 am

  • The vpn this time crashed (and did not reconnect) overnight so I could not log .
  • Now I use a remote syslog and I hope to capture some information.
  • From the logs I've updated here viewtopic.php?p=974001#p974001 I've seen that yesterday it reconnected successfully , then I have the doubt that it only hangs when there is a LTE cell change (the phone operator turns off some, does it to save energy :? ) since the script reported it around 3am.
  • I need to find an easy way to get it to reactivate even with these interruptions; from anav's post above though I can't make adjustments for sstp.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 12:15 pm

/interface sstp-client monitor sstp-out1 once can give you plenty of information.

If ([interface sstp-client monitor sstp-out1 once as-value]->"status") differs from connected, you know the tunnel is down; if it says connected, you can ping the address returned by ([interface sstp-client monitor sstp-out1 once as-value]->"remote-address") to see whether the tunnel is indeed transparent.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 1:52 pm

hello sindy, I put this line in scheduler every minute
:if ([interface sstp-client monitor sstp-out1 once as-value]->"status") != connected do={/interface set sstp-out1 disabled=no}
but it returns sintax error
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 4:23 pm

Not enough brackets, you need :if ( (some expression) != "some value" ) do={some commands}
Because the complete command is something like :if condition=( (some expression) != "some value" ) do={some commands}
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 4:41 pm

Worth a shot, but I'm not sure "enable=yes" (even after the () syntax is fixed) is going to do much. e.g. re-enabling something already enabled should have no effect, but who knows. And @sindy right, looking the "monitor" is helpful – BEFORE trying to re-enable by hand might also tell you something without waiting for logs.

You mention LTE, now that can "stuck" and maybe the VPN is just a side-effect. Is that showing up as a LTE interface (e.g. via USB) or are using using ethernet to some LTE router/hotspot?

The other thing to try is adding a netwatch script to ping the internet every 10 seconds, that might keep your LTE up if you're worried about power-saving. Or changing the SSTP timeout setting.

But if the enable=yes etc. doesn't work, you'd want to increase log size (RB3011 should have plenty of memory) as it really hard to guess at what's going. If you have an LTE interface appearing, for sure add that to the logs too.
/system logging action add memory-lines=10000 name=mem10000 target=memory
/system logging add topics=lte,debug,!packet,!raw action=mem10000
and change the logging settings for the sstp already to use "mem10000" – this will store up to 10,000 lines in memory.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 8:26 pm

You mention LTE, now that can "stuck" and maybe the VPN is just a side-effect.
The OP says that a manual restart of the SSTP helps, so it should not be caused by a frozen LTE.

But if the enable=yes etc. doesn't work
Surprisingly, /interface sstp-client enable xyz does restart the SSTP interface even if issued when it has already been running. It never came to my mind to test that, but I did now (6.48.6).
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 10:24 pm

@sindy
I modified the script in the two ways below but it still doesn't work
:if (((interface sstp-client monitor sstp-out1 once as-value)->"status") != "connected") do={/interface set sstp-out1 disabled=no}
:if (((interface sstp-client monitor sstp-out1 once as-value)->"status") != "connected") do={/interface sstp-client enable sstp-out1}
I get this below and the vpn remains blocked (of course if I manually restart the sstp-out1 interface it works again)
vpn.png
@Amm0
The vpn stopped at 20:08 I updated the log the log here viewtopic.php?p=974001#p974001 but I didn't notice anything particular.
I enabled remote logging of 3011 on an external syslog server so it can log for days and days .
In terms of LTE, I have an RBM11G card with a Quectel modem outside and connected via an FTP cable and powered with PoE from port 10 of the RB3011
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.  [SOLVED]

Mon Dec 26, 2022 10:33 pm

Nothing jump out at me in logs.

I didn't test this, but you can manually disable/reenable it in your script. I added some delay so it has a chance to come up before potentially looping, not ideal but let's see if that works at least first.
:if (([/interface sstp-client monitor sstp-out1 once as-value]->"status") != "connected") do={/interface sstp-client { disable sstp-out1; :delay 10s; enable sstp-out1; :delay 30s}}
edit: V6 = use spaces...
edit 2: using square brackets, perhaps () works too but IDK
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 11:28 pm

@Amm0,
The script works perfectly , reactivated the connection correctly :D , let's see tonight what happens.
I did not understand this: edit: V6 = use spaces...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Mon Dec 26, 2022 11:30 pm

@Amm0,
The script works perfectly , reactivated the connection correctly :D , let's see tonight what happens.
I did not understand this: edit: V6 = use spaces...
Typo. I use v7.x of RouterOS mainly... So "/interface/sstp-client" is fine in V7, while it need to be "/interface sstp-client" V6...
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 1:20 pm

@Amm0,
  • ok now I understand for V6 ...V7 version ; I would like to switch to V7 on RB3011 but I have read too many negative experiences .
  • This morning I found the vpn disconnected despite the script , I manually relaunched the script but it didn't work . I disabled the sstp-out1 interface for about 10 minutes and I reenabled it and it worked again.
  • Then I modified the script by increasing the first delay to 300 seconds because I'm thinking that some time must pass between the disabling and the enabling of the interface.
  • there's nothing particular in the logs
  • I want to specify that: the traffic on the vpn is a few Kbs but constant, the latency of the LTE connection remains between 12 and 20 ms,I have never exceeded the free traffic thresholds from those allowed, and that sporadically the telephone operator during the night drops the connection.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 2:39 pm

I wasn't necessary suggesting V7 - just my fingers are used to the / syntax.

Yeah I was worried a script might not fix this. I've never need a script with SSTP– does automatically restart, just slowly as @sindy points out. By "slow" meaning a minute or so - not 10+ minutes.

Totally believe LTE is stable/unrelated. But I still add a netwatch script to ping something via LTE - just to confirm ping is doing when SSTP goes out & simple to have a double-check.

The only thing I'm left with is firewall. Again your VPN provider's code is pretty simple and works for a while... & normally firewall problems show up quick. But "nl.hide.me" is a CNAME that does seem to return different IPs is why I suggest this. If the VPN host was changing IP addresses on you when it tries to come back up, connection tracking might still be using an old IP address and that might take time to flush out - just an idea. Now NAT masquerade should cleanup upon an IP change, but perhaps it's a catch22 that it only flush when it gets a NEW address, dunno.

Anyway you can look at "/ip firewall connections" in winbox and see if you can find the SSTP tunnel - if one is there, and SSTP is down, try deleting the firewall connection for SSTP & see if SSTP recovers. If that does fix it, we go from there.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 5:34 pm

  • as you may have seen from the logs I had several interruptions, in fact I turned off and restarted the vpn several times, but it always resumed, I turned off and restarted the LTE connection in order to change ip several times but it always resumed.
  • My belief is that only when a particular event happens either caused by the phone provider or the vpn server ls sstp crashes. I looked in /ip firewall connections but there is no sstp connection present ( I also did a test disabling and enabling sstp-out1).
  • I will check when it crashes .
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 6:29 pm

I've never need a script with SSTP– does automatically restart, just slowly as @sindy points out. By "slow" meaning a minute or so - not 10+ minutes.
Actually, my experience is that it takes the server side those 10 minutes to give up on the connection if the client is really dead; the client detects the failure much faster, in about 2 minutes, and attempts to reconnect immediately.

The only thing I'm left with is firewall. ... But "nl.hide.me" is a CNAME that does seem to return different IPs is why I suggest this. If the VPN host was changing IP addresses on you when it tries to come back up, connection tracking might still be using an old IP address and that might take time to flush out - just an idea. Now NAT masquerade should cleanup upon an IP change, but perhaps it's a catch22 that it only flush when it gets a NEW address, dunno.
  • As for connection tracking, it's a clear no. Each new SSTP connection attempt uses a different local TCP port than the previous one, so it doesn't match the tracked connection created by the previous one. With IPsec, it's a different story - it's UDP and since the IPsec stack keeps trying much more frequently than the default UDP timeout is, the tracked connection stays there "forever" (unless its reply-dst-address has been assigned by an action=masquerade rule)
  • As for removal of tracked connections whose reply-dst-address assigned by an action=masquerade rule doesn't match any of the own addresses of the router, this happens as soon as the address is lost, not as late as when it is replaced.
  • The remark about the resolution of nl.hide.me changing frequently made me think of the following - what I can imagine, but cannot test without creating an account there, is that the SSTP client doesn't re-resolve the server's fqdn to an IP number if reconnecting automatically. If so, the connection breaks for some external reason, the client detects it and attempts to reconnect, but to the same address like before, which rejects the connection (as the screenshot in post #27 suggests). So I'd recommend to investigate in this direction - it would require to start sniffing both the DNS traffic and the SSTP traffic into a file several hours after a successful connection, intentionally break the connection using a rule in chain output of /ip firewall filter matching on the src-port of the currently active connection, and wait for 2+ minutes to see whether the connection renews and if yes, see whether the sniff contains a DNS query to nl.hide.me before the SYN to the SSTP port. The sniff file may be huge as the SSTP port is the same like the HTTPS one and you cannot restrict the sniff to particular IP addresses.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 7:29 pm

sniff.png
  • I started sniffing, filtered on ports 443 and 53 but for now wireshark didn't catch anything even if I tried to open https pages.
  • If I don't do port filtering I see all the traffic and I found out that I'm connected to this ip 146.70.118.54 (free-de.hideservers.net) and not to nl.hide.me - I don't know if it's important-
  • I continue with sniffing even if I didn't understand how to do the rule on the firewall to interrupt the vpn.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 7:45 pm

  • I started sniffing, filtered on ports 443 and 53 but for now wireshark didn't catch anything even if I tried to open https pages.
By sniffing on sstp-out1, you sniff the payload traffic of the tunnel - that's useless. You have to sniff the SSTP transport packets and the DNS traffic on the WAN interface. If your Mikrotik eventually uses some DNS server in LAN, you have to sniff also on the corresponding interface.

  • If I don't do port filtering I see all the traffic and I found out that I'm connected to this ip 146.70.118.54 (free-de.hideservers.net) and not to nl.hide.me - I don't know if it's important-
It is important in terms that you'll see whether the next connection attempt, after you break the current connection, will go to the same address or to another one. If it connects to another one, it means my assumption is wrong and the SSTP stack re-resolves the fqdn to an IP number even when auto-reconnecting; if it connects to the same one again, it becomes important whether the sniff shows the DNS query or not.

  • I continue with sniffing even if I didn't understand how to do the rule on the firewall to interrupt the vpn.
You have to do the following:
/ip firewall filter add chain=output protocol=tcp src-port=the-current-local-port-as-seen-in-the-sniff dst-port=443 dst-address=146.70.118.54 action=drop

This rule will drop the SSTP transport packets of the current connection, so the client will stop receiving responses to them and thus consider the connection to be dead and initiate a new one.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 9:23 pm

sniff1.png
/ip firewall filter add chain=output protocol=tcp src-port=37008 dst-port=443 dst-address=146.70.118.54 action=drop
This rule above I put it at the end of all the others at firewall .
  • Now things get complicated ... I set it up the way above; the mikrotik runs all the sniffed traffic on my computer with wireshark on udp port 37008 I can see all the TLSv1.2 and DNS traffic on the lan but when I activate the firewall rule the capture doesn't stop.
  • As you may have guessed I am incapable of using wireshark
.
  • The exit ip 146.70.118.54 changed after I disabled and re-enabled the interface manually.
You do not have the required permissions to view the files attached to this post.
Last edited by frank333 on Tue Dec 27, 2022 9:48 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 9:41 pm

when I activate the firewall rule the capture doesn't stop.
It is perfectly OK that the capture doesn't stop - all traffic keeps going, except the SSTP transport packets sent by the Mikrotik itself. Even the SSTP transport packets from the server that are not responses to ones sent by the Mikrotik will keep coming. But after about 2 minutes, the Mikrotik will initiate a new SSTP transport connection. It may be difficult to find that in the capture if there is a lot of other traffic.

So I'd say give it 3 minutes after activating the rule, and run /interface sstp-client monitor sstp-out1 once. If it shows an uptime of less than three minutes or that the interface is down, it means that the rule did do its job. If it is the case, stop the capture and use a display filter dns.qry.name == "nl.hide.me" in Wireshark. If the packet list shows just a DNS query and response with a recent time, it means my assumption was wrong.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Tue Dec 27, 2022 10:50 pm

sstpfirewall.png
snif2.png
the rule of the firewall does not work as you can see from the counter that remains at zero, I waited 10 minutes but nothing happened, then I disabled by hand sstp-out1 and the script after a few minutes has reconnected and wireshark has obtained what you see above, I noticed that the 'address 217..2 is different from the one before the forced disconnection glimpsed in the TLS traffic sniffed that was 217..10
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 9:54 am

Ah, now it makes more sense. 37008 is the source port of the TZSP packets that are used to deliver the copies of the "real" packets across a routed network; the drop rule must match on the source TCP port of the SSTP transport packets the Mikrotik sends to the SSTP server. Whereas their destination port is always 443, their source port is unique for each connection. So while the "old" connection is running, you have to click the SSTP transport packet in the packet list, find the source port of the TCP packet in the dissection pane, and set that one as the src-port in the drop rule.

Also, to see what really happens, you must disable your auto-recovery script before doing the experiment - disabling and re-enabling the /interface sstp-client row definitely spawns a new DNS query and the script would do that if running.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 3:51 pm

droprule.png
mark sstp _manglerule.png
connection firewall.png
dnsquery.png
  • The good news is that the script of Amm0 modified with a delay of 300s between disable and enable works fine, this morning I found the vpn perfectly connected, but I don't find any traffic marked SSTP; in firewall --->connections, I have only connection mark wan 1 and wan2,(I have two wan of which one is disabled) even if I have a rule that should make the sstp mark.
  • I disabled the script.
  • So I did this: I captured some traffic with wireshark I looked for TLSv1.2 type traffic, checked that it came from the vpn I intercepted the port and inserted the whole thing in the drop rule.
  • The vpn connection is dropped and capturing for a few minutes and filtering the traffic with dns.qry.name == "free-de.hideservers.net" I extract and read a new IP different from the previous one.
  • I think I haven't messed up now.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:16 pm

  • The good news is that the script of Amm0 modified with a delay of 300s between disable and enable works fine, this morning I found the vpn perfectly connected, but I don't find any traffic marked SSTP; in firewall --->connections, I have only connection mark wan 1 and wan2,(I have two wan of which one is disabled) even if I have a rule that should make the sstp mark.
The rule assigns a routing mark; the /ip firewall connection print shows a connection mark if assigned. So if there is bi-directional traffic on the sstp-out1 interface, the action=mark-routing rule most likely works. But since you have set passthrough=yes in that rule, it is possible that the routing mark for SSTP gets later rewritten to another one for some packets. I'd have to see the complete configuration to be sure.
  • I disabled the script.
  • So I did this: I captured some traffic with wireshark I looked for TLSv1.2 type traffic, checked that it came from the vpn I intercepted the port and inserted the whole thing in the drop rule.
  • The vpn connection is dropped and capturing for a few minutes and filtering the traffic with dns.qry.name == "free-de.hideservers.net" I extract and read a new IP different from the previous one.
So to recap - you've disabled the script and used a correct drop rule. This has caused the current SSTP connection to drop, and the SSTP stack did use a DNS query to obtain the IP address of the server when auto-reconnecting. What happened next? Did the tunnel come up on its own or you had to disable and re-enable it manually (or re-enable the disabled script) to make it come up?
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:19 pm

was automatically reactivated within seconds.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:25 pm

Hm, so it means that something else happens when it fails "spontaneously". Only sniffing during a "spontaneous" failure can tell us more. But as you seem not to mind a 5 min. outage, the current version of the script may be a sufficient workaround?

In any case, don't forget to remove the drop rule.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:34 pm

  • yes the script that interrupts for 5 minutes seems to work, I have no alternative, the connection of the host remains unencrypted for that period but it's not a problem.
  • yes the drop rule I disabled it immediately after use.
  • here are my mangle rules

/ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; test_speedtest.net (server 88.149.202.248)
      chain=postrouting action=passthrough routing-mark=to_WAN1 protocol=tcp dst-address-list=speedtest log=no log-prefix="" 

 1    chain=postrouting action=passthrough routing-mark=to_WAN2 protocol=tcp dst-address-list=speedtest log=no log-prefix="" 

 2    ;;; list connection balance
      chain=postrouting action=add-dst-to-address-list address-list=use-WAN1 address-list-timeout=1h out-interface=ether1-WAN1 
      log=no log-prefix="" 

 3    chain=postrouting action=add-dst-to-address-list address-list=use-WAN2 address-list-timeout=1h out-interface=ether10-RB11 
      log=no log-prefix="" 

 4 X  chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-list=use-WAN1 log=no 
      log-prefix="" 

 5 X  chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-list=use-WAN2 

 6 X  ;;; Allocate specific WAN connection to host
      chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes src-address=10.0.0.202 
      dst-address-type=!local connection-mark=no-mark in-interface=bridge 

 7    ;;; PCC for LTE
      chain=input action=mark-connection new-connection-mark=WAN1_conn connection-mark=no-mark in-interface=ether1-WAN1 

 8    chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-mark=no-mark 
      in-interface=ether10-RB11 log=no log-prefix="" 

 9    chain=output action=mark-routing new-routing-mark=to_WAN1 connection-mark=WAN1_conn 

10    chain=output action=mark-routing new-routing-mark=to_WAN2 connection-mark=WAN2_conn 

11    chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-list=!connected-subnets 
      connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix="" 

12    chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-list=!connected-subnets 
      connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix="" 

13    chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=bridge 

14    chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=bridge 

15 X  ;;; redirect sip pcfrank, to VPN 
      chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes protocol=udp src-address=10.0.0.152 
      src-port=5060 log=no log-prefix="" 

16 X  ;;; redirect server1 to vpn
      chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes protocol=tcp src-address=10.0.0.108 log=no 
      log-prefix="" 

17 X  ;;; cell f-->vpn
      chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes protocol=tcp src-address=10.0.0.136 log=no 
      log-prefix="" 

18 X  ;;; alexa to vpn
      chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes protocol=tcp src-address=10.0.0.105 log=no 
      log-prefix="" 

19 X  chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes protocol=tcp src-address=10.0.0.123 log=no 
      log-prefix="" 

20    ;;; server108 to vpn
      chain=prerouting action=mark-routing new-routing-mark=SSTP passthrough=yes protocol=tcp src-address=10.0.0.108 log=no 
      log-prefix=""
Last edited by frank333 on Wed Dec 28, 2022 4:53 pm, edited 3 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:47 pm

  • the connection of the host remains unencrypted for that period but it's not a problem.
Once the tunnel goes down, the remote server starts receiving packets coming from your local client with a different source address (the public IP from your ISP range instead of the public IP from the VPN server range), so the connection fails and re-establishes; once the tunnel comes back up, the same happens again.


  • here are my mangle rules
I cannot see the rule with action=mark-routing new-routing-mark=SSTP there, nor any other rules assigning a routing-mark in prerouting - a copy-paste error?
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 4:55 pm

  • so my isp's ip stays visible for 5 minutes.
  • I corrected it above. It was a copy paste error.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 5:30 pm

  • so my isp's ip stays visible for 5 minutes.
If the reconnection doesn't matter, it's indeed the only harm.

  • I corrected it above. It was a copy paste error.
OK. Since the rule assigning the routing mark SSTP is the last one, nothing can rewrite that routing mark.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 6:25 pm

OK. Since the rule assigning the routing mark SSTP is the last one, nothing can rewrite that routing mark.
So by moving it on top of the rules that mark wans, could it mark SSTP traffic correctly ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 7:15 pm

The rule assigning the routing mark SSTP is fine as it is - it is the last one in the prerouting chain, so no further rule can change its verdict, and all the previous rules in that chain that match on the same traffic and assign any routing mark have passthrough set to yes, so even if they match and assign some routing mark, this last rule rewrites that routing mark to SSTP.
 
User avatar
frank333
Member
Member
Topic Author
Posts: 330
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: How to maintain an always-on VPN.

Wed Dec 28, 2022 7:19 pm

ok I got it, thanks again for all the valuable information you gave me !!!

Who is online

Users browsing this forum: patrikg and 34 guests