CRS326 stops responding

Guscht · Sun Nov 21, 2021 7:06 pm

Hi,

my CRS326 stops sometimes responding to Winbox and http. After a few hours or a day, I cant connect anymore.

Sometimes I can it ping, sometimes not. After a reboot (power disconnected), it will work for a few hours (or minutes), then the same happens. I have now created a scheduled task to reboot itself every 6 hours. This fixed the symptoms, but not the root issue.

Did a few netinstalls with stable and long-terms. Everytime the same...

Zacharias · Sun Nov 21, 2021 7:14 pm

Difficult to say without knowing the device configuration...
Are you using it as a Switch only ?

Guscht · Sun Nov 21, 2021 9:08 pm

Nope, as Switch but with ROS, because it has more features.
Id say the config is not special in any way...

/interface bridge
add admin-mac=11:22:33:44:55:66 auto-mac=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes name=BR0 priority=0x4000 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=PC1
set [ find default-name=ether2 ] comment=PC2
set [ find default-name=ether9 ] comment=PC3
set [ find default-name=ether10 ] comment=PR-SRV1
set [ find default-name=ether17 ] comment=DSL1
set [ find default-name=ether18 ] comment=\
    "Uplink - RTR-DMZ1 (Trunk) - RSTP Secondary-IF"
set [ find default-name=ether23 ] comment="TEST-Port (Trunk)"
set [ find default-name=ether24 ] comment=MGMT
set [ find default-name=sfp-sfpplus2 ] comment=\
    "Uplink - RTR-DMZ1 (Trunk) - RSTP Primary-IF"
/interface vlan
add comment=LAN interface=BR0 name=VLAN1 vlan-id=1
/interface list
add name=MGMT
add name=noSTP
/system logging action
add email-start-tls=yes email-to=xxx@xxx.com name=email1 target=\
    email
/interface bridge filter
add action=drop chain=output comment="Drop outgoing STP-BPDUs" \
    dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list=\
    noSTP
/interface bridge host
add bridge=BR0 comment="MAC der physichen NIC (PC1 - Hyper-V SET-Switch)" \
    interface=ether1 mac-address=38:2C:4A:B9:A5:F8 vid=1
/interface bridge port
add bridge=BR0 ingress-filtering=yes interface=ether2
add bridge=BR0 ingress-filtering=yes interface=ether3
add bridge=BR0 ingress-filtering=yes interface=ether4
add bridge=BR0 ingress-filtering=yes interface=ether5
add bridge=BR0 ingress-filtering=yes interface=ether6
add bridge=BR0 ingress-filtering=yes interface=ether7
add bridge=BR0 ingress-filtering=yes interface=ether8
add bridge=BR0 ingress-filtering=yes interface=ether9
add bridge=BR0 ingress-filtering=yes interface=ether10
add bridge=BR0 ingress-filtering=yes interface=ether11
add bridge=BR0 ingress-filtering=yes interface=ether12
add bridge=BR0 ingress-filtering=yes interface=ether13
add bridge=BR0 ingress-filtering=yes interface=ether14
add bridge=BR0 ingress-filtering=yes interface=ether15
add bridge=BR0 ingress-filtering=yes interface=ether16
add bridge=BR0 ingress-filtering=yes interface=ether17
add bridge=BR0 ingress-filtering=yes interface=ether19
add bridge=BR0 ingress-filtering=yes interface=ether20
add bridge=BR0 ingress-filtering=yes interface=ether21
add bridge=BR0 ingress-filtering=yes interface=ether22
add bridge=BR0 ingress-filtering=yes interface=ether23
add bridge=BR0 ingress-filtering=yes interface=ether1
add bridge=BR0 ingress-filtering=yes interface=ether24
add bridge=BR0 ingress-filtering=yes interface=sfp-sfpplus1
add bridge=BR0 ingress-filtering=yes interface=sfp-sfpplus2
add bridge=BR0 ingress-filtering=yes interface=ether18
/ip neighbor discovery-settings
set discover-interface-list=MGMT protocol=mndp
/interface bridge vlan
add bridge=BR0 tagged=BR0 untagged="ether1,ether2,ether3,ether4,ether5,ether6,\
    ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether\
    16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfp\
    plus1,sfp-sfpplus2" vlan-ids=1
add bridge=BR0 tagged=ether1,ether18,ether23,sfp-sfpplus2 vlan-ids=10
/interface list member
add interface=VLAN1 list=MGMT
add interface=ether24 list=MGMT
add interface=ether1 list=noSTP
add interface=ether2 list=noSTP
add interface=ether3 list=noSTP
add interface=ether4 list=noSTP
add interface=ether5 list=noSTP
add interface=ether6 list=noSTP
add interface=ether7 list=noSTP
add interface=ether8 list=noSTP
add interface=ether9 list=noSTP
add interface=ether10 list=noSTP
add interface=ether11 list=noSTP
add interface=ether12 list=noSTP
add interface=ether13 list=noSTP
add interface=ether14 list=noSTP
add interface=ether15 list=noSTP
add interface=ether16 list=noSTP
add interface=ether17 list=noSTP
add interface=ether19 list=noSTP
add interface=ether20 list=noSTP
add interface=ether21 list=noSTP
add interface=ether22 list=noSTP
add interface=ether23 list=noSTP
add interface=ether24 list=noSTP
add interface=sfp-sfpplus1 list=noSTP
/ip address
add address=10.88.20.1/16 interface=VLAN1 network=10.88.0.0
/ip cloud
set update-time=no
/ip dns
set servers=10.88.20.2
/ip firewall address-list
add address=10.0.0.0/8 comment="RFC 1918 / Private-use networks (Class A - 1 p\
    rivate net with 16.777.216 adresses)" list=reserved-IP-Range
add address=172.16.0.0/12 comment="RFC 1918 / Private-use networks (Class B - \
    16 private nets with 65.536 addresses each)" list=reserved-IP-Range
add address=192.168.0.0/16 comment="RFC 1918 / Private-use networks (Class C -\
    \_256 private nets with 256 addresses each)" list=reserved-IP-Range
add address=0.0.0.0/8 comment="RFC 5735 / Current network" list=\
    reserved-IP-Range
add address=100.64.0.0/10 comment="RFC 6264 + RFC 6598 / Carrier-grade NAT" \
    list=reserved-IP-Range
add address=127.0.0.0/8 comment="RFC 1700 / Loopback" list=reserved-IP-Range
add address=169.254.0.0/16 comment="RFC 3927 / Link local" list=\
    reserved-IP-Range
add address=192.0.0.0/24 comment="RFC 5736 / IETF protocol assignments" list=\
    reserved-IP-Range
add address=192.0.2.0/24 comment="RFC 5737 / TEST-NET-1" list=\
    reserved-IP-Range
add address=198.51.100.0/24 comment="RFC 5737 / TEST-NET-2" list=\
    reserved-IP-Range
add address=203.0.113.0/24 comment="RFC 5737 / TEST-NET-3" list=\
    reserved-IP-Range
add address=192.88.99.0/24 comment=\
    "RFC 3068 / Reserved - Formerly used for IPv6 to IPv4 relay" list=\
    reserved-IP-Range
add address=198.18.0.0/15 comment=\
    "RFC 2544 / Network interconnect device benchmark testing" list=\
    reserved-IP-Range
add address=224.0.0.0/24 comment=\
    "RFC 3171 / Multicast - Former Class D network" list=reserved-IP-Range
add address=240.0.0.0/4 comment=\
    "RFC 1112 / Reserved for future use - Former Class E network" list=\
    reserved-IP-Range
add address=255.255.255.255 comment="RFC 1700 / Limited broadcast" list=\
    reserved-IP-Range
/ip route
add distance=1 gateway=10.88.20.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.88.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=10.88.0.0/16
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CORE-SW1
/system logging
add action=email1 disabled=yes topics=info,interface
/system ntp client
set enabled=yes primary-ntp=10.88.20.2
/system routerboard settings
set auto-upgrade=yes boot-os=router-os silent-boot=yes
/system scheduler
add interval=1m name=if-eth18-mail-script on-event=if-eth18-mail policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1m name=if-sfpplus2-mail-script on-event=if-sfpplus2-mail \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=if-eth18-mail owner=xxx policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global \"ifstatus-eth18\"\r\
    \n:if ([/interface ethernet get ether18 running]=true) do={\r\
    \n\t:put \"running\"\r\
    \n\t:if (\$\"ifstatus-eth18\"=\"down\") do={\r\
    \n\t\t/tool e-mail send from=\"\$[/system identity get name]<it-infra@hohe\
    nleitner.eu>\" server=\"smtp.tld.com\" to=xxx@xxx.com subject=\"\
    I/F ETH18 UP\" body=\"\$[/system clock get date], \$[/system clock get tim\
    e] - I/F ETH18 up\"\r\
    \n\t}\r\
    \n\t:set \$\"ifstatus-eth18\" \"up\"\r\
    \n} else={\r\
    \n\t:put \"not running\"\r\
    \n\t:if (\$\"ifstatus-eth18\"=\"up\") do={\r\
    \n\t\t/tool e-mail send from=\"\$[/system identity get name]<it-infra@hohe\
    nleitner.eu>\" server=\"smtp.tld.com\" to=xxx@xxx.com subject=\"\
    I/F ETH18 DOWN\" body=\"\$[/system clock get date], \$[/system clock get t\
    ime] - I/F ETH18 down\"\r\
    \n\t}\r\
    \n\t:set \$\"ifstatus-eth18\" \"down\"\r\
    \n}"
add dont-require-permissions=no name=if-sfpplus2-mail owner=xxx policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global \"ifstatus-sfp+2\"\r\
    \n:if ([/interface ethernet get sfp-sfpplus2 running]=true) do={\r\
    \n\t:put \"running\"\r\
    \n\t:if (\$\"ifstatus-sfp+2\"=\"down\") do={\r\
    \n\t\t/tool e-mail send from=\"\$[/system identity get name]<it-infra@hohe\
    nleitner.eu>\" server=\"smtp.tld.com\" to=xxx@xxx.com subject=\"\
    I/F SFP+2 UP\" body=\"\$[/system clock get date], \$[/system clock get tim\
    e] - I/F SFP+2 up\"\r\
    \n\t}\r\
    \n\t:set \$\"ifstatus-sfp+2\" \"up\"\r\
    \n} else={\r\
    \n\t:put \"not running\"\r\
    \n\t:if (\$\"ifstatus-sfp+2\"=\"up\") do={\r\
    \n\t\t/tool e-mail send from=\"\$[/system identity get name]<it-infra@hohe\
    nleitner.eu>\" server=\"smtp.tld.com\" to=xxx@xxx.com subject=\"\
    I/F SFP+2 DOWN\" body=\"\$[/system clock get date], \$[/system clock get t\
    ime] - I/F SFP+2 down\"\r\
    \n\t}\r\
    \n\t:set \$\"ifstatus-sfp+2\" \"down\"\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.tld.com from=CORE-SW1<mail@domain.tld> password=\
    "bliblablubb" port=587 start-tls=yes user=mail@domain.tld
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=BR0 filter-stream=yes streaming-server=10.88.10.1

Sun Nov 21, 2021 9:35 pm

/interface bridge
add admin-mac=11:22:33:44:55:66

Is your admin machine multi-homed? Common case: both Ethernet and WiFi. If so, then your OS's routing configuration might be choosing wired some of the time and wireless other times, so the MAC block keeps you out sometimes and other times lets you in, because each interface has a different MAC.

Adding port-based blocking can further complicate this, since the direct wired path will enter the switch via one Ethernet port but via another for WiFi.

admit-only-vlan-tagged

Similar case: your frames might not always be VLAN-tagged, depending on other configuration details. Is this the only VLAN-aware switch, or are there others? Is the "admin PC" plugged directly into this one, or does it go via another intermediary switch/router?

/ip service
set ssh disabled=yes

How about you set SSH up, then report whether it gets locked out as well?

Zacharias · Mon Nov 22, 2021 1:08 pm

I don't really agree with your VLAN setup configuration...
I d never use VLAN 1 for management purposes...
Also your MAC address starting with 11, why ? That way you 've set a Globally unique Multicast address...
Also that firewall list is confusing as well, why is it there ?

Guscht · Mon Nov 22, 2021 6:43 pm

Hi, just for information, I found the root issue.
My backbone consists of a 1Gig and a 10Gig link. I block the 1Gig via RSTP, so it will come up only if the 10Gig link fails.

Unfortunately, you cant configure in ROS which ports are sending out (R)STP BPDUs. Mikrotik recommends a Birdge -> Filter rule:

In case bridge filter rules are used, make sure you allow packets with DST-MAC address 01:80:C2:00:00:00 since these packets carry BPDUs that are crucial for STP to work properly.

A rule like the follwing is requires and youll find such a rule in my config (posted above):

/interface bridge filter add action=drop chain=forward in-interface=wan dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF

This rule broke my network in random time intervals!!!
There is nothing wrong with this rule, it should drop outgoing STP-BPDUs on non-STP-Ports. UNFORTUNATELY it will drop way more than only the DST-MAC "01:80:C2:00:00:00"!

Described here as well:
viewtopic.php?p=892517#p869820

I changed my drop-rule like the suggested one:

/interface bridge filter add 802.3-sap=0x42 action=drop chain=output comment="Filter STP" mac-protocol=length out-interface=sfp-sfpplus1

I can confirm, as the user mducharme said, this is bug in ROS!!
The Bridge -> Filter rule with DST-MAC "01:80:C2:00:00:00" will drop way(!!) more packets, which will crash your network in random intervals.

PS @Zacharias: There is no Firewall rule in my config....??
There are a few non-routable networks defined as address-list. This is a default config in all my routers, used to distinguish between internal and public IP-(networks).

Zacharias · Tue Nov 23, 2021 7:32 pm

Unfortunately, you cant configure in ROS which ports are sending out (R)STP BPDUs. Mikrotik recommends a Birdge -> Filter rule:

Well, that is not really true...
You can set a Bridge port as Edge Port, such a port will ignore any received BPDU and restrict it from sending BPDUs as well...
Of Corse you can drop the Received or send BPDUs as well but with switch rules on a CRS3xx Device ...
Example: https://help.mikrotik.com/docs/display/ ... eivedBPDUs

CRS326 stops responding

CRS326 stops responding

Re: CRS326 stops responding

Re: CRS326 stops responding

Re: CRS326 stops responding

Re: CRS326 stops responding

Re: CRS326 stops responding

Re: CRS326 stops responding

Who is online