Mikrotik Failover Scripts
We’ve been working quite a bit with Mikrotik devices and had to work out some failover scripts for ipsec and interfaces. You can find them below. Modify them to fit your environment as needed. Enjoy.
IPSec Failover Script
{
:local PrimaryPolicy 1
:local SecondaryPolicy 2
:local PrimaryPeer 1
:local SecondaryPeer 0
:local PrimaryOK [:ping count=3 src-address=x.x.x.x y.y.y.y];
:local SecondaryOK [:ping count=3 src-address=z.z.z.z a.a.a.a];
:local PrimaryActive [/ip ipsec policy get $PrimaryPolicy active];
# :log info "Status: $PrimaryOK $SecondaryOK $PrimaryActive";
# Test case: set $PrimaryOK 0;
:if ($PrimaryOK < 1 && $SecondaryOK > 1 && $PrimaryActive) do={
:log warn "switch to failover";
/ip ipsec policy disable $PrimaryPolicy;
/ip ipsec policy enable $SecondaryPolicy;
/ip ipsec peer disable $PrimaryPeer;
/ip ipsec peer enable $SecondaryPeer;
}
:if ($PrimaryOK = 3 && !$PrimaryActive) do={
:log warn "switch to primary";
/ip ipsec policy disable $SecondaryPolicy;
/ip ipsec policy enable $PrimaryPolicy;
/ip ipsec peer disable $SecondaryPeer;
/ip ipsec peer enable $PrimaryPeer;
}
}
Interface Failover Script
/interface ethernet
:if ((![get sfp-sfpplus2 disabled]) && ([get sfp-sfpplus2 running])) do={
# Interface is Enabled AND Interface is Running
set sfp-sfpplus1 disabled=yes
} else={
:if ((![get sfp-sfpplus2 disabled]) && (![get sfp-sfpplus2 running])) do={
# Interface is Enabled and NOT Running
set sfp-sfpplus1 disabled=no
}
}