Default usernames and passwords are significant security vulnerabilities on any internet facing device. It’s a…
What do the colors in RemoteWinBox Admiral mean?
One of the most common questions we get here at Admiral is why a MikroTik is showing yellow or red in the dashboard and what that means, as well as what you should do about it. In today’s post, we’ll take a deeper look at what these colors should mean to you and where to look for additional info and clues on how to turn them green.
RED MikroTiks
First, let’s take a look at the most common cases where your MikroTik won’t connect to Admiral platform at all and it’s red in your dashboard like this. You may notice if you hover on the red circle icon that it says INVALID DATE – if you see that it’s because the MikroTik has never connected to our system. In contrast, if the router has been connected to Admiral but is temporarily offline, hovering here will show you the last time we saw that MikroTik with a date and timestamp.
In this case and before opening a ticket with Admiral support, the best thing to do is log in to your MikroTik to do a couple of troubleshooting steps.
What should I do if the MikroTik is showing up RED?
The first thing to do is to open up Winbox or SSH to your MikroTik and look at the INTERFACES and take a look at the SSTP-CLIENT that’s named something similar to RemoteWinBox-router-name. When things are working properly, you’ll see a capital R next to the interface name, indicating that it’s a RUNNING interface.
Here on the bottom highlight, there’s no R, so we know that the RemoteWinBox Admiral VPN tunnel hasn’t connected yet. The best thing to do when that interface isn’t running is to check the logs for clues as to why it can’t connect.
In this case, I can see that there’s a great reason this MikroTik can’t connect to the service – it’s clear from this log entry that the Tik is trying to resolve DNS for our server vpn6.remotewinbox.com (keep in mind, your connection may be different) and there’s either no DNS server for it to talk to, or the DNS server is blocking resolution of this domain. In either case, you’ll need to put on your sysadmin or devops hat and get a valid DNS configuration in order for your MikroTik to find out servers. In my case, I usually just enter 1.1.1.1 and 9.9.9.9 for the IP – DNS – SERVERS and most of the time, that’s a valid configuration on most networks. If that doesn’t work for you, you may need to ask your security or firewall team why you can’t resolve our domain.
You may find a different log entry on your MikroTik – sometimes a multi-WAN setup or load balancer will result in “unable to connect, internal error (6)”, for example which means you should look at your WAN configuration, but hopefully you’ll be able to catch a clue as to what’s going on by using the logs.
YELLOW/ORANGE MikroTiks
When a MikroTik shows up in your RemoteWinBox Admiral dashboard as yellowish orange, it’s because we know 2 important things about that Tik.
- It is DEFINITELY online and connected to the Internet (or your local Admiral) and our service can ping your Tik
- There’s a communication issue between our service and your Tik – could be related to firewall, latency, user account, etc.
What should I do if the MikroTik is showing up YELLOW?
There are quite a few reasons we might mark your MikroTik as communications failure, so there’s a few things to check on here.
In this screenshot, there’s multiple reasons that this MikroTik is orange in the RemoteWInBox Admiral dashboard.
- The API service is disabled
- The API port has been moved from 8728 to 18728
- The Available From IP listing does not include Admiral
One thing we see pretty often is that there’s a firewall, or access control list (ACL for you Cisco folks) on the IP SERVICE. In this case, your MikroTik is configured for enhanced security that only allows traffic from specific subnets to connect to the input chain of your MikroTik. Admiral depends on the configuration of your IP SERVICES for API access for 90% of our features and relies on SSH for backups manager and fleet commander usage.
If you’ve got a custom allowed from list or your API and/or SSH services are disabled for security, here’s what we suggest – go to IP ADDRESSES and open up your RemoteWinBox VPN tunnel interface. Highlight the NETWORK address that our service uses to talk to your MikroTik, and right click – COPY. You can close the IP ADDRESS and open IP SERVICE – API. Make sure that API is enabled and then, in the allowed addresses section, you can add our service IP to your list by clicking the DOWN arrow and right clicking – PASTE. This limits the number of endpoints that can connect to your API service. Now, double click the SSH service, make sure it’s enabled, and click the down arrow for allowed addresses and paste again. It could also be that you’ve adjusted the API port
Another possibility is if you’ve replaced your MikroTik with another one – maybe it got hit by lightning or you needed to upgrade to more powerful hardware and you may have copied and pasted one of your backups. In this case, it’s worth noting that Admiral backups DO NOT include user accounts, so what’s happened is that the Admiral user that allows our service to talk to your MikroTik is missing! This is very easy to fix.
Just go in Admiral to the ROUTER HEALTH, click on the CONFIG tab, and then take a look at this part in the middle of the configuration – where it says /user add. Highlight that line, right click and copy, go back to WinBox and open a new terminal window, right click and paste and communications with our service should be restored.
Also, it could be that when you added the RemoteWinBox Admiral configuration, you chose to make our account READ-ONLY. If that’s the case, we won’t be able to process firmware updates or add Login Manager, for example, but we will still be able to grab telemetry data, draw charts and graphs and take backups. If you hover your mouse over the yellow icon, you’ll see a tip on why the dashboard thinks your MikroTik may be having trouble communicating with the service.
Additionally, if there’s high latency or packet loss, the connection can show up in yellow. In this case, you want to look at the connectivity to the MikroTik and ensure you can do some ping tests and see clean results after replacing cabling and/or updating and tuning the backhaul connectivity.
One final possibility is something that’s difficult for us to help with. Sometimes, the network you’re on may heavily filter OUTBOUND internet access. Admiral needs to connect to the Admiral servers using TCP protocol and port 443. In the vast majority of situations, that’s allowed, but if you’ve tried the above and find you still can’t connect, please ensure that TCP/443 OUTBOUND access to the Internet is unrestricted.
If you take any of the previously mentioned actions, it may be useful to see if things are working properly by checking our dashboard again. One thing that you should know is that our dashboard leverages caching because some of our customers have tens of thousands of MikroTiks in their account. So, if a change has been made to the MikroTik configuration, your RemoteWinBox Admiral dashboard will automatically pick that up in 24 hours because a daily process called DISCOVERY will run once per day. However, if you don’t want to wait until tomorrow, you can force a discovery anytime you’d like by either hitting the REDISCOVER ROUTERS button on the router listing which will rediscover ALL your MikroTiks, or you can rediscover just one MikroTik by hitting the circular refresh icon next to the image of your MikroTik in ROUTER HEALTH. Within 1 minute, we’ll process discovery on that unit and you can refresh the page. Also, if you ever need to invalidate your local browser cache because you think it might be inaccurate, you can hit the ??? button on the ROUTER LISTING and after a few seconds, it will flush the cache and pull fresh data.
We hope this post has helped you get your MikroTik online and into your dashboard with a green status! If not, please contact support by emailing support at admiralplatform.com and attach a copy of your sanitized logs.