Community discussions

MikroTik App
 
rb9999
just joined
Topic Author
Posts: 24
Joined: Thu Dec 06, 2018 3:09 pm

v7.1.5 ipsec site2site issues

Thu May 05, 2022 7:52 pm

So, at last I had the gut to start updating some remote systems from a bit older, but 'stable' 6.49.6 to somewhat newer, but considered 'stable' some time ago 7.1.5. Ipsec site2site stopped working for me. I didn't change any settings (both sides are rb4001, aes256-gcm) and the weird thing is, IPsec seems to set up fine (endpoint is present in active peers, I can see 6 SAs - I'm using 3 different P2 policies), and... pinging the other side works.
The odd thing is, TCP traffic doesn't work as it should - the connection seems to establish (SYN, SYN/ACK, ACK) but I can't see the server greeting from the other side (tried with multiple servers, multiple services - telnet, http, https). At first I though there might be some MSS issue so i limited the MSS to 1300, but no luck.
Here is where it gets tricky... I enabled 'all traffic' in firewall with enabled logging, and the return traffic (stuff that the server should send back) is identified as 'new traffic' even though I assume it should be identified as a part of an established session.
Rolling back remote site from v7.1.5 to v6.49.6 resolves the issue.
 
rb9999
just joined
Topic Author
Posts: 24
Joined: Thu Dec 06, 2018 3:09 pm

Re: v7.1.5 ipsec site2site issues

Sat May 07, 2022 12:22 am

Just a short update... tried again, but now i disabled fasttrack.. and it seems it's working (for now).
[admin@rb4011] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
...
1 X ;;; Fasttrack connection no ipsec
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related connection-mark=!ipsec log=no log-prefix=""
...
so the next question is... did something happen with fasttrack from 6.49.x to 7.1.x?

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 66 guests