L2TP/IPsec: Tunnel Disconnects Every 8 Hours
L2TP/IPsec: Tunnel Disconnects Every 8 Hours
Section titled “L2TP/IPsec: Tunnel Disconnects Every 8 Hours”L2TP/IPsec tunnels that drop on a predictable schedule — commonly every 8 hours — are almost always caused by one of four things: a session-timeout enforced by the PPP profile, a NAT device expiring its idle UDP mapping, an IPsec SA lifetime forcing a rekey that fails, or an ISP session reset. This guide identifies each cause and shows how to fix it.
Prerequisites
Section titled “Prerequisites”- RouterOS 7.x with a working L2TP/IPsec server or client
- Admin access to the router
- Basic familiarity with
/ppp profile,/ip ipsec, and/system scheduler
Diagnosing the Root Cause
Section titled “Diagnosing the Root Cause”Before changing any settings, enable logging to capture the disconnect reason.
/system logging add topics=l2tp,ppp action=memory/system logging add topics=ipsec action=memoryWait for the next disconnect, then immediately review:
/log print where topics~"l2tp|ppp|ipsec" proplist=time,topics,messageMatch the log output to the table below:
| Log message | Likely cause |
|---|---|
session timed out | session-timeout in PPP profile |
idle timeout | idle-timeout in PPP profile |
no reply to keepalive / disconnected | NAT dropped the UDP mapping |
DPD: no response — deleting SA | IPsec Dead Peer Detection tearing down SA |
phase2 failed or no matching proposal after rekey | IPsec SA lifetime mismatch |
Configuration
Section titled “Configuration”Fix 1 — Disable PPP Session and Idle Timeouts
Section titled “Fix 1 — Disable PPP Session and Idle Timeouts”The default PPP profile ships with both timers disabled, but an operator or RADIUS server may have set them. Check:
/ppp profile print detailLook for session-timeout and idle-timeout. Set both to 0 (unlimited) on the profile used by L2TP:
/ppp profile set [find name=default-encryption] \ session-timeout=0 \ idle-timeout=0Note: If RADIUS is in use, the
Session-TimeoutandIdle-Timeoutattributes returned by the RADIUS server override the local profile. Check your RADIUS policy if disconnects persist after this change.
Fix 2 — Verify L2TP Keepalive Is Active
Section titled “Fix 2 — Verify L2TP Keepalive Is Active”RouterOS L2TP sends LCP Echo-Request packets at 1-second intervals. If the peer does not respond within keepalive-timeout seconds, the tunnel is dropped. The default is 60 seconds on the server side.
Check the server setting:
/interface l2tp-server server printA value of 0 disables liveness checking entirely — the tunnel will not detect NAT failure. Set a reasonable value:
/interface l2tp-server server set keepalive-timeout=60For a RouterOS client:
/interface l2tp-client set [find name=l2tp-out1] keepalive-timeout=60Fix 3 — Keep the NAT Mapping Alive
Section titled “Fix 3 — Keep the NAT Mapping Alive”ISP NAT, mobile CGNAT, and home routers all age out idle UDP flows. A typical carrier NAT idle UDP timeout is 30–300 seconds; 8 hours is less common but does appear on some ISP CPE. The L2TP keepalive (Fix 2) generates traffic every second, which is normally sufficient. If an intermediate device has a short UDP timeout, add a Netwatch-based ping through the tunnel as a belt-and-suspenders measure:
/tool netwatch add \ host=<tunnel-local-peer-ip> \ interval=00:00:20 \ up-script="/ping <tunnel-local-peer-ip> count=1" \ down-script=":log warning \"VPN keepalive unreachable\""Replace <tunnel-local-peer-ip> with the L2TP server’s assigned inner address (e.g. 10.10.10.1).
Fix 4 — Tune IPsec Dead Peer Detection
Section titled “Fix 4 — Tune IPsec Dead Peer Detection”For L2TP/IPsec, a failed IPsec SA rekey will drop the tunnel even if the L2TP keepalive is healthy. Dead Peer Detection (DPD) probes the peer before the SA expires and triggers re-establishment.
Check DPD on the dynamic peer created by use-ipsec=yes:
/ip ipsec peer print detailSet a shorter DPD interval so stale NAT state is detected and recovered quickly:
/ip ipsec peer set [find dynamic=yes] \ dpd-interval=30s \ dpd-maximum-failures=5For explicitly configured peers:
/ip ipsec peer set [find address=<server-ip>] \ dpd-interval=30s \ dpd-maximum-failures=5Fix 5 — Automatic Reconnect Script (Last Resort)
Section titled “Fix 5 — Automatic Reconnect Script (Last Resort)”If the upstream device is unmanageable and the tunnel still drops, use a Netwatch-triggered reconnect:
/system script add name=l2tp-reconnect source={ :local ifname "l2tp-out1" /interface l2tp-client disable [find where name=$ifname] :delay 3s /interface l2tp-client enable [find where name=$ifname] :log warning ("Forced reconnect of " . $ifname)}
/tool netwatch add \ host=<tunnel-local-peer-ip> \ interval=30s \ down-script="/system script run l2tp-reconnect"This is a workaround, not a fix. Use it only after exhausting Fixes 1–4.
Verification
Section titled “Verification”After applying changes, confirm the tunnel stays up across the 8-hour mark:
# Confirm PPP profile has no session limit/ppp profile print detail where name=default-encryption
# Confirm active session and uptime/ppp active print
# Confirm IPsec SA is established/ip ipsec sa print
# Review log for disconnect messages/log print where topics~"l2tp|ppp|ipsec"A healthy session shows an incrementing uptime in /ppp active print with no disconnect events in the log.
Troubleshooting
Section titled “Troubleshooting”Tunnel still drops after all fixes
Check whether your ISP resets PPPoE sessions on a fixed schedule. A PPPoE reconnect changes the WAN IP and tears down all downstream tunnels. Monitor the PPPoE interface:
/interface pppoe-client print detail/log print where topics~"pppoe"If the PPPoE link itself drops every 8 hours, contact your ISP or configure the PPPoE client to reconnect immediately and use a DDNS name for the VPN endpoint.
Disconnect happens at exactly 28800 seconds
28800 seconds = 8 hours. This is almost certainly session-timeout=28800 in a PPP profile or returned by RADIUS. Check:
/ppp profile print detailAnd confirm no RADIUS Session-Timeout attribute is being applied.
phase2 failed at reconnect
Flush stale IPsec security associations and let them renegotiate:
/ip ipsec sa flush/ip ipsec installed-sa flushNAT-T not working through carrier NAT
Verify that UDP ports 500 and 4500 are reachable end-to-end and that nat-traversal=yes is set on the IPsec peer:
/ip ipsec peer print detailSee Also
Section titled “See Also”- L2TP/IPsec — full server and client setup guide
- L2TP/IPsec: Multiple Road Warriors Behind NAT
- RouterOS PPP AAA reference —
/ppp profiletimer parameters - RouterOS IPsec reference — DPD, SA lifetimes, NAT-T