Skip to content
MikroTik RouterOS Docs

L2TP/IPsec: Tunnel Disconnects Every 8 Hours

L2TP/IPsec: Tunnel Disconnects Every 8 Hours

Section titled “L2TP/IPsec: Tunnel Disconnects Every 8 Hours”

L2TP/IPsec tunnels that drop on a predictable schedule — commonly every 8 hours — are almost always caused by one of four things: a session-timeout enforced by the PPP profile, a NAT device expiring its idle UDP mapping, an IPsec SA lifetime forcing a rekey that fails, or an ISP session reset. This guide identifies each cause and shows how to fix it.

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.x with a working L2TP/IPsec server or client
  • Admin access to the router
  • Basic familiarity with /ppp profile, /ip ipsec, and /system scheduler

Diagnosing the Root Cause

Section titled “Diagnosing the Root Cause”

Before changing any settings, enable logging to capture the disconnect reason.

/system logging add topics=l2tp,ppp action=memory
/system logging add topics=ipsec action=memory

Wait for the next disconnect, then immediately review:

/log print where topics~"l2tp|ppp|ipsec" proplist=time,topics,message

Match the log output to the table below:

Log messageLikely cause
session timed outsession-timeout in PPP profile
idle timeoutidle-timeout in PPP profile
no reply to keepalive / disconnectedNAT dropped the UDP mapping
DPD: no response — deleting SAIPsec Dead Peer Detection tearing down SA
phase2 failed or no matching proposal after rekeyIPsec SA lifetime mismatch

Configuration

Section titled “Configuration”

Fix 1 — Disable PPP Session and Idle Timeouts

Section titled “Fix 1 — Disable PPP Session and Idle Timeouts”

The default PPP profile ships with both timers disabled, but an operator or RADIUS server may have set them. Check:

/ppp profile print detail

Look for session-timeout and idle-timeout. Set both to 0 (unlimited) on the profile used by L2TP:

/ppp profile set [find name=default-encryption] \
    session-timeout=0 \
    idle-timeout=0

Note: If RADIUS is in use, the Session-Timeout and Idle-Timeout attributes returned by the RADIUS server override the local profile. Check your RADIUS policy if disconnects persist after this change.

Fix 2 — Verify L2TP Keepalive Is Active

Section titled “Fix 2 — Verify L2TP Keepalive Is Active”

RouterOS L2TP sends LCP Echo-Request packets at 1-second intervals. If the peer does not respond within keepalive-timeout seconds, the tunnel is dropped. The default is 60 seconds on the server side.

Check the server setting:

/interface l2tp-server server print

A value of 0 disables liveness checking entirely — the tunnel will not detect NAT failure. Set a reasonable value:

/interface l2tp-server server set keepalive-timeout=60

For a RouterOS client:

/interface l2tp-client set [find name=l2tp-out1] keepalive-timeout=60

Fix 3 — Keep the NAT Mapping Alive

Section titled “Fix 3 — Keep the NAT Mapping Alive”

ISP NAT, mobile CGNAT, and home routers all age out idle UDP flows. A typical carrier NAT idle UDP timeout is 30–300 seconds; 8 hours is less common but does appear on some ISP CPE. The L2TP keepalive (Fix 2) generates traffic every second, which is normally sufficient. If an intermediate device has a short UDP timeout, add a Netwatch-based ping through the tunnel as a belt-and-suspenders measure:

/tool netwatch add \
    host=<tunnel-local-peer-ip> \
    interval=00:00:20 \
    up-script="/ping <tunnel-local-peer-ip> count=1" \
    down-script=":log warning \"VPN keepalive unreachable\""

Replace <tunnel-local-peer-ip> with the L2TP server’s assigned inner address (e.g. 10.10.10.1).

Fix 4 — Tune IPsec Dead Peer Detection

Section titled “Fix 4 — Tune IPsec Dead Peer Detection”

For L2TP/IPsec, a failed IPsec SA rekey will drop the tunnel even if the L2TP keepalive is healthy. Dead Peer Detection (DPD) probes the peer before the SA expires and triggers re-establishment.

Check which profile the dynamic peer uses (created by use-ipsec=yes):

/ip ipsec peer print detail

DPD settings in RouterOS 7 are on the profile, not the peer. Set a shorter DPD interval on the profile used by the peer:

/ip ipsec profile print detail
/ip ipsec profile set [find name=default] \
    dpd-interval=30s \
    dpd-maximum-failures=5

If the peer references a non-default profile, substitute that profile name. The profile name appears in /ip ipsec peer print detail under the profile= field.

Fix 5 — Align IPsec SA Lifetimes

Section titled “Fix 5 — Align IPsec SA Lifetimes”

The default IKE Phase 1 lifetime on many platforms is 28800 seconds (exactly 8 hours). If both peers use this default but fail to rekey — due to a proposal mismatch, DH group incompatibility, or PFS disagreement — the SA expires and tears down the tunnel at the 8-hour boundary.

Check the current Phase 1 profile and Phase 2 proposal:

/ip ipsec profile print detail
/ip ipsec proposal print detail

Ensure both peers use identical values. A common working configuration:

# Phase 1 profile — set a lifetime that does not coincide with Phase 2
/ip ipsec profile set [find name=default] \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    lifetime=1d


# Phase 2 proposal — shorter than Phase 1
/ip ipsec proposal set [find name=default] \
    enc-algorithms=aes-256-cbc \
    auth-algorithms=sha256 \
    pfs-group=none \
    lifetime=8h

Note: pfs-group=none is the safest starting point if the remote peer’s PFS support is unknown. Re-enable PFS once the tunnel is stable.

If a mismatch is suspected, flush stale SAs and observe renegotiation:

/ip ipsec installed-sa flush

Then watch /log print where topics~"ipsec" for phase1 and phase2 negotiation messages confirming both sides agree.

Fix 6 — Automatic Reconnect Script (Last Resort)

Section titled “Fix 6 — Automatic Reconnect Script (Last Resort)”

If the upstream device is unmanageable and the tunnel still drops, use a Netwatch-triggered reconnect:

Note: The script block below must be entered in an interactive RouterOS terminal (Winbox Terminal, serial console, or an SSH shell where you type line-by-line). Do not paste it as a single copied block via SSH — the shell will expand $ifname before RouterOS sees it and mark the script invalid. Copy line-by-line or use Winbox Terminal.

/system script add name=l2tp-reconnect source={
    :local ifname "l2tp-out1"
    /interface l2tp-client disable [find where name=$ifname]
    :delay 3s
    /interface l2tp-client enable [find where name=$ifname]
    :log warning ("Forced reconnect of " . $ifname)
}


/tool netwatch add \
    host=<tunnel-local-peer-ip> \
    interval=30s \
    down-script="/system script run l2tp-reconnect"

This is a workaround, not a fix. Use it only after exhausting Fixes 1–4.

Verification

Section titled “Verification”

After applying changes, confirm the tunnel stays up across the 8-hour mark:

# Confirm PPP profile has no session limit
/ppp profile print detail where name=default-encryption


# Confirm active session and uptime
/ppp active print


# Confirm IPsec SA is established
/ip ipsec installed-sa print


# Review log for disconnect messages
/log print where topics~"l2tp|ppp|ipsec"

A healthy session shows an incrementing uptime in /ppp active print with no disconnect events in the log.

Troubleshooting

Section titled “Troubleshooting”

Tunnel still drops after all fixes

Check whether your ISP resets PPPoE sessions on a fixed schedule. A PPPoE reconnect changes the WAN IP and tears down all downstream tunnels. Monitor the PPPoE interface:

/interface pppoe-client print detail
/log print where topics~"pppoe"

If the PPPoE link itself drops every 8 hours, contact your ISP or configure the PPPoE client to reconnect immediately and use a DDNS name for the VPN endpoint.

Disconnect happens at exactly 28800 seconds

28800 seconds = 8 hours. There are two common sources:

  1. PPP profile or RADIUSsession-timeout=28800 in the PPP profile or returned by a RADIUS Session-Timeout attribute. Check:

    /ppp profile print detail

  2. IPsec Phase 1 lifetime — 28800s is the default IKE SA lifetime on many platforms. If rekeying fails at that boundary, the tunnel drops. Check Phase 1 expiry:

    /ip ipsec installed-sa print detail

    Look at the expires-in field. If it counts down to zero at the same time as the disconnect, the IPsec SA lifetime is the cause. Apply Fix 5 above to align lifetimes and proposals on both peers.

phase2 failed at reconnect

Flush stale IPsec security associations and let them renegotiate:

/ip ipsec installed-sa flush

NAT-T not working through carrier NAT

Verify that UDP ports 500 and 4500 are reachable end-to-end and that nat-traversal=yes is set on the IPsec peer:

/ip ipsec peer print detail

See Also

Section titled “See Also”