When using ROS7 7.1х.x, routing does not work correctly.
Example: Mikrotik CCR2004-16G-2S+ on it a tunnel is raised to the internal office network via ipsec+gre+bgp to linux with strongswan+bird,
All actions are carried out from a PC connected to Mikrotik.
The office network has web resources. For example, there is grafana. If you try to open the grafana web resource page in the office network
the time it takes to open the login/password prompt takes 30 seconds or longer. You can also try downloading any file via http(s),
The download speed is low and during download there is a drop in the channel width, the speed drops.
If you run web-proxy on Mikrotik and send traffic through the proxy, everything works properly and quickly.
I made a traffic dump on Mikrotk while opening the page. I can see many packets "TCP Dup ACK" "TCP Previous Segment not captured" "TCP Out-of-order"
which indicates packet loss.
It turns out that Mikrotik loses packets while routing traffic into the tunnel. This is not visible on the metrics; port counters do not record errors.
I tried it on devices CCR2004-16G-2S+, CCR2116-12G-4S+, CCR1009-8G-1S-1S+, CCR1016-12S-1S+, CCR1036-8G-2S+ - the problem is repeated everywhere.
If you install ROS6 6.49.10 on Mikrotik thousandth series, everything works properly.
How can this be fixed?
Example: Mikrotik CCR2004-16G-2S+ on it a tunnel is raised to the internal office network via ipsec+gre+bgp to linux with strongswan+bird,
All actions are carried out from a PC connected to Mikrotik.
The office network has web resources. For example, there is grafana. If you try to open the grafana web resource page in the office network
the time it takes to open the login/password prompt takes 30 seconds or longer. You can also try downloading any file via http(s),
The download speed is low and during download there is a drop in the channel width, the speed drops.
If you run web-proxy on Mikrotik and send traffic through the proxy, everything works properly and quickly.
I made a traffic dump on Mikrotk while opening the page. I can see many packets "TCP Dup ACK" "TCP Previous Segment not captured" "TCP Out-of-order"
which indicates packet loss.
It turns out that Mikrotik loses packets while routing traffic into the tunnel. This is not visible on the metrics; port counters do not record errors.
I tried it on devices CCR2004-16G-2S+, CCR2116-12G-4S+, CCR1009-8G-1S-1S+, CCR1016-12S-1S+, CCR1036-8G-2S+ - the problem is repeated everywhere.
If you install ROS6 6.49.10 on Mikrotik thousandth series, everything works properly.
How can this be fixed?
Statistics: Posted by insuriatus — Thu Feb 29, 2024 11:26 am