Community discussions

 
calandri
just joined
Topic Author
Posts: 14
Joined: Sat Mar 05, 2016 11:03 pm

Can't update Installed SAs

Tue Jul 09, 2019 9:24 am

Hi all,
I've always had an IPSec tunnel between two Mikrotiks (using public IP) and everything has always worked well.
Today I had to change one of two public IP designated for tunnel, I updated the configuration with the new IP in the peer, the NAT, the Route etc.

The Peer is established correctly (Active Peers > State=established). The problem is that the Installed SAs still remain with old IP, so the Phase 2 is not successful.

I've already tried to reboot both Mikrotik and also use Flush button, but the Installed SAs still remain with old IP.

Any suggestion?
 
sindy
Forum Guru
Forum Guru
Posts: 3744
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't update Installed SAs

Tue Jul 09, 2019 9:58 pm

Have you also updated the sa-dst-address in /ip ipsec policy? If yes, post both configurations, see my automatic signature below regarding anonymisation.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
calandri
just joined
Topic Author
Posts: 14
Joined: Sat Mar 05, 2016 11:03 pm

Re: Can't update Installed SAs

Wed Jul 10, 2019 10:31 am

Have you also updated the sa-dst-address in /ip ipsec policy? If yes, post both configurations, see my automatic signature below regarding anonymisation.
No. I would do it willingly, but is not a editable field:

Image

P.S.
I currently run v6.45.1 and I have seen in 6.46beta6 this change:

*) ipsec - improved stability for peer initialization (introduced in v6.45)

Maybe it could be this problem...
 
sindy
Forum Guru
Forum Guru
Posts: 3744
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't update Installed SAs

Wed Jul 10, 2019 10:43 am

If disabling and re-enabling one of the peers doesn't help, post your configuration exports (check my automatic signature below for anonymization hints). If you cannot change sa-dst-address manually, it had to be created dynamically and thus it should follow peer address.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Can't update Installed SAs

Wed Jul 10, 2019 5:10 pm

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
calandri
just joined
Topic Author
Posts: 14
Joined: Sat Mar 05, 2016 11:03 pm

Re: Can't update Installed SAs

Wed Jul 10, 2019 6:02 pm

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.
Thanks, I assumed it was a bug. I am also in contact with Mikrotik's support.
 
calandri
just joined
Topic Author
Posts: 14
Joined: Sat Mar 05, 2016 11:03 pm

Re: Can't update Installed SAs

Fri Jul 12, 2019 7:58 am

I solved the problem by performing the downgrade from stable v6.45.1 to long term v6.44.5
 
saifulslm09
just joined
Posts: 12
Joined: Mon Feb 04, 2013 6:02 am
Contact:

Re: Can't update Installed SAs

Mon Jul 15, 2019 8:13 am

I solved the problem by performing the downgrade from stable v6.45.1 to long term v6.44.5
Could you please tell me the procedure of downgrading RouterOS. I tried but it stayed to v6.45.1. I want to downgrad to v6.44.5

Who is online

Users browsing this forum: Google [Bot] and 56 guests