Hello.

We have a L2TP / IPsec server, organized on the ASA5520. ASA firmware is Cisco Adaptive Security Appliance Software Version 9.1 (7).

We successfully connect to this L2TP / IPsec VPN server from workstations and there are no problems.

We also connect to this L2TP / IPsec VPN server from the Mikrotik device, but here comes the problem of the following character:

The connection is established, but sometimes, after some uptime, it may happen that the L2TP client interface on the Mikrotik side drops and does not recconect. IPsec is installed, ASA and Mirotik have SAs with the same SPI. It only helps to disconnect the L2TP client from Mikrotik for 5 minutes. (Clear crypto ikev1 sa, clear crypto ipsec sa, as well as "Flush" from Mirkotik does not help)

At the same time in the logs on Mikrotik the following:

L2TP, debug: sent control message to 194.x.x.x: 1701 from 0.0.0.0:1701 ... the tunnel received no replies, disconnecting

I see that ASA gets this control message, but does not really send a response.

I change the "level" parameter in the IPsec policies on Mirkotik, restart Mikrotik. After the reboot in the Mikrotik logs the following:

L2TP, debug, packet:

Rcvd control message from 194.x.x.x: 1701 to 176.x.x.x: 1701

Received with the right of the tunnel

I wrote to technical support Mikrotik, she answered the following:

We have found out that the ASA does not work according to RFC and that is why connection can get stuck.
You should be able to fix a situation either by flashing installed-sa on the router or by rebooting it.
When ASA loses SAs, then they do not send a message about that to a router.

They say that ASA does not work in accordance with RFC.

If I understand correctly, then support for Mikrotik speaks about ESP RFC. Mirkotik uses RFC 4303.

Tell me how to solve the problem? Which RFC uses the ASA? Will the firmware update help ASA?