Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix. We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine. For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine. The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore. We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue. I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios. Has anybody come across this issue before and have any suggestions as I am all out of them now. The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version. Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J Thanks Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55,
running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think
Hi Paul, Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;) "torch rulez" :) Cheers! Mike. these are the
upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55,
running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Hi Paul, Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;) "torch rulez" :) Cheers! Mike. these are the
upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged
Hi! Just call torch with all of the attributes you want to watch for, e.g: tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10 if you are only watching for winbox traffic, try: tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10 Cheers! Mike. traffic
arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine.... Regards PAul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Hi! Just call torch with all of the attributes you want to watch for, e.g: tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10 if you are only watching for winbox traffic, try: tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10 Cheers! Mike. traffic
arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
Hi Paul, What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it? Can the management PC ping the router on that IP? Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go. It's very strange. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Hi Paul, What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it? Can the management PC ping the router on that IP? Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions? Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ? Regards PAul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions? Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, Try "tool fetch mode=ftp ?" OK, so you can get tcp session up OK (if you can ssh) ... is it a routing issue? Cheers.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 3:42 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ?
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions?
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks, I will try that. No not routing issue Mike, pings work fine, the winbox plugins start to download as well but then just slow and stop, then it times out. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 3:58 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Hi, Try "tool fetch mode=ftp ?" OK, so you can get tcp session up OK (if you can ssh) ... is it a routing issue? Cheers.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 3:42 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ?
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions?
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Yah - I realised we already mentioned that ;-) Firmware? Cheers,.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 4:01 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks, I will try that. No not routing issue Mike, pings work fine, the winbox plugins start to download as well but then just slow and stop, then it times out.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 3:58 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi,
Try "tool fetch mode=ftp ?"
OK, so you can get tcp session up OK (if you can ssh) ... is it a routing issue?
Cheers.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 3:42 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ?
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions?
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Well, firmware I have updated to the latest, 3.12 I think from memory, I just upgraded another RB411U today and it was working happily on v5.4 ROS, Winbox Access via VPN worked fine, upgraded to V6.11 ROS and now it's doing the same thing, nothing else has changed..... Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 4:10 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN Yah - I realised we already mentioned that ;-) Firmware? Cheers,.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 4:01 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks, I will try that. No not routing issue Mike, pings work fine, the winbox plugins start to download as well but then just slow and stop, then it times out.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 3:58 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi,
Try "tool fetch mode=ftp ?"
OK, so you can get tcp session up OK (if you can ssh) ... is it a routing issue?
Cheers.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 3:42 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ?
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions?
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 10:59 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi guys, I was hoping somebody may have come across this issue before and might have a fix.
We have a customer with a 2.4Ghz wireless network in a resort, the AP's are all RB411AH units and seem to be working fine in general. The AP's are backhauled to the main building using some Omnitiks and SXT's, the backhaul is very reliable and stable, average signal is about -55, these are running in A/N mode and happy. The AP then connects into our hotspot gateway and everything works happily. All customer AP's are bridged back to the hotspot gateway via EOIP tunnels, once again that works fine.
For management we have a VPN from each device which goes back to our data centre, as the backhaul network and all devices are fully routed these VPN's just travel across the network and out the Internet connection and work fine.
The problem we have is that we have upgraded a couple of AP's and backhaul radios to v6.11, they were previously 5.4, as soon as we upgrade them we can't winbox to them anymore.
We first noticed the issue a couple of days ago and didn't really think the upgrades were the cause, but I have spent a couple of hours tonight just going through configs, firewall rules, ACL's etc trying to find some reason why winbox won't work to these units, I have now got to the point where I reckon that it's something to do with the upgrades as the units which still haven't been upgraded connect up instantly without an issue.
I thought I might be the winbox cache on my windows 7 PC so I deleted it, I can connect fine to other routers which I have upgraded to v6.10, but not with 6.11 or 6.12 which is what I am using on these radios.
Has anybody come across this issue before and have any suggestions as I am all out of them now.
The curly one with this problem is though that the issue only occurs when accessing the routers via VPN, direct access works fine, and I have reduced MTU's and tried everything but they should work with the same PPTP settings as the other routers on V5.4 as they are connected exactly the same way and are configured exactly the same way with exception to the ROS version.
Any suggestions would be greatly appreciated ! although I am happy with CLI it's just easier to do some things in the GUI and you can see graphs and stuff J
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
411U eh, I think I'll try one too - if it is repeatable like that, then we should be able to have it addressed and fixed in future version. Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 4:14 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Well, firmware I have updated to the latest, 3.12 I think from memory, I just upgraded another RB411U today and it was working happily on v5.4 ROS, Winbox Access via VPN worked fine, upgraded to V6.11 ROS and now it's doing the same thing, nothing else has changed.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 4:10 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Yah - I realised we already mentioned that ;-)
Firmware?
Cheers,.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 4:01 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks, I will try that. No not routing issue Mike, pings work fine, the winbox plugins start to download as well but then just slow and stop, then it times out.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 3:58 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi,
Try "tool fetch mode=ftp ?"
OK, so you can get tcp session up OK (if you can ssh) ... is it a routing issue?
Cheers.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 3:42 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, any suggestions on how to get the supout off a router I can only SSH to from another router ?
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 9:44 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Let's get a supout, then, and ship it off to MT - seems to me like you've covered all bases, and maybe it is some bug introduced with those versions?
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 6 May 2014 9:29 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hey Mike, the destination address I see in torch is the one on the VPN interface on the AP which is correct, the source is the IP on the VPN concentrator which is also correct as any traffic to an AP VPNS address is natted when it goes through the concentrator, we have many others like this which work fine. Everything can be pinged fine no matter which direction we go.
It's very strange.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Tuesday, 6 May 2014 8:27 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
What is the destination address, and is it still bound to the expected interface? What is the source address, and is there an active route to it?
Can the management PC ping the router on that IP?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:43 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Thanks Mike, very helpful, I can see the traffic coming in but no replies, it's strange, there aren't any firewall rules at all and I can ping the initiating end fine....
Regards PAul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:20 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi!
Just call torch with all of the attributes you want to watch for, e.g:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=any ip-protocol=any mac-protocol=any \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
if you are only watching for winbox traffic, try:
tool torch interface=ether2 freeze-frame-interval=2s \ vlan-id=any port=8291 ip-protocol=tcp mac-protocol=ip \ dst-address=0.0.0.0/0 src-address=0.0.0.0/0 duration=10
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 5 May 2014 11:11 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
HI Mike, thanks for the idea, I agree torch is a good option but must be honest and say I have never used it through SSH before, how do you see what type of connections are happening ? I can only seem to get packet counts and bandwidth usage.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Monday, 5 May 2014 11:05 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Dodgy winbox after upgrades to V6.x when using VPN
Hi Paul,
Since you have shell access to these problematic units, try running a torch on the physical interface while attempts to connect are active. I managed to diagnose a similar issue recently that turned out to be vlan tagged traffic arriving on the interface in a way that I did not initially expect ;)
"torch rulez" :)
Cheers!
Mike.
> -----Original Message----- > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf Of Paul > Julian > Sent: Monday, 5 May 2014 10:59 PM > To: public@talk.mikrotik.com.au > Subject: [MT-AU Public] Dodgy winbox after upgrades to V6.x > when using VPN > > Hi guys, I was hoping somebody may have come across this > issue before and might have a fix. > > We have a customer with a 2.4Ghz wireless network in a > resort, the AP's are all > RB411AH units and seem to be working fine in general. > The AP's are backhauled to the main building using some > Omnitiks and SXT's, > the backhaul is very reliable and stable, average signal is > about -55, these are > running in A/N mode and happy. > The AP then connects into our hotspot gateway and everything > works happily. > All customer AP's are bridged back to the hotspot gateway > via EOIP tunnels, > once again that works fine. > > For management we have a VPN from each device which goes > back to our data centre, as the backhaul network and all > devices are fully routed these VPN's > just travel across the network and out the Internet > connection and work fine. > > The problem we have is that we have upgraded a couple of > AP's and backhaul radios to v6.11, they were previously 5.4, > as soon as we upgrade them we can't > winbox to them anymore. > > We first noticed the issue a couple of days ago and didn't > really think the > upgrades were the cause, but I have spent a couple of hours > tonight just going > through configs, firewall rules, ACL's etc trying to find > some reason why winbox > won't work to these units, I have now got to the point where > I reckon that it's > something to do with the upgrades as the units which still > haven't been upgraded connect up instantly without an issue. > > I thought I might be the winbox cache on my windows 7 PC so > I deleted it, I can > connect fine to other routers which I have upgraded to > v6.10, but not with 6.11 > or 6.12 which is what I am using on these radios. > > Has anybody come across this issue before and have any > suggestions as I am all > out of them now. > > The curly one with this problem is though that the issue > only occurs when accessing the routers via VPN, direct > access works fine, and I have reduced > MTU's and tried everything but they should work with the > same PPTP settings > as the other routers on V5.4 as they are connected exactly > the same way and > are configured exactly the same way with exception to the > ROS version. > > Any suggestions would be greatly appreciated ! although I am > happy with CLI > it's just easier to do some things in the GUI and you can > see graphs and stuff J > > Thanks > Paul > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4570 / Virus Database: 3931/7437 - Release Date: 05/03/14
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (2)
-
Mike Everest
-
Paul Julian