BIG BUG- Unicast key exchange timeout

Junim · August 6, 2008, 11:40pm

Mikrotik 3.x have a bug with WPA and WPA2.

In wpa, wpa2, tkip or aes… all configuration log: “unicast key exchange timeout” or “GROUP KEY EXCHANGE TIME OUT” or something else.

See topics:

http://forum.mikrotik.com/viewtopic.php?f=7&t=21299&start=0&st=0&sk=t&sd=a&hilit=unicast+key
my post - http://forum.mikrotik.com/t/mac-interface-disconnected-group-key-exchange-time-out/21298/1
http://forum.mikrotik.com/viewtopic.php?f=13&t=24787&start=0&st=0&sk=t&sd=a&hilit=unicast+key

Nobody solved the problem.
Does the 3.12 will right?

Jawssaus · August 17, 2008, 2:40am

Excactly the same problem (error) here. Its a link between a RB133C and RB600 with R51H cards.
They are running software version 3.13
WPA2 encryption

lehonk · December 13, 2008, 12:01pm

Any news on this topic?

We are still having these issues with Linksys Clients and WPA/WPA2 encryption.

fx242 · December 20, 2008, 1:03am

I was stuck with this error for ages! I recently found a workaround by changing the security profile to use WPA AES CCN (as the only option)! Maybe the problem is the TKIP support or something with the protocol negotiation.
Hope this helps, as i’ve tried before with different NICs (R52 and Gigabyte) and different clients (atheros and ralink) but my RB333 always filled the log with those errors.

TL

chernobyl · December 20, 2008, 11:08pm

This are mine log events

AP side (RB333, ROS 3.9, firmware 2.14)

18:03:01 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
18:07:31 wireless,info 00:0C:42:xx:yy:zz@wlan2: disconnected, group key exchange timeout
18:07:35 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
18:07:40 wireless,info 00:0C:42:xx:yy:zz@wlan2: disconnected, unicast key exchange timeout
18:07:45 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
/interface wireless registration-table print stats
…
interface=wlan2 radio-name=“000C42XXYYZZ” mac-address=00:0C:42:XX:YY:ZZ ap=no wds=no rx-rate=“36Mbps” tx-rate=“24Mbps” packets=361,350
bytes=22139,25685 frames=361,358 frame-bytes=20297,24481 hw-frames=857,375 hw-frame-bytes=76109,39224 tx-frames-timed-out=0 uptime=14m53s
last-activity=930ms signal-strength=-80dBm@36Mbps signal-to-noise=19dB
strength-at-rates=-77dBm@6Mbps 3s350ms,-77dBm@9Mbps 14m47s610ms,-77dBm@12Mbps 14m39s960ms,-80dBm@18Mbps 14m20s950ms,-79dBm@24Mbps 16s750ms,
-80dBm@36Mbps 930ms,-78dBm@48Mbps 35s870ms
tx-signal-strength=-81dBm tx-ccq=69% rx-ccq=78% p-throughput=16214 ack-timeout=50 nstreme=no framing-mode=none routeros-version=“2.9.51”
last-ip=172.16.2.57 802.1x-port-enabled=yes authentication-type=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm compression=no
wmm-enabled=no

\

Client side (RB133C3, ROS 2.9.51, firmware 2.12)

18:03:01 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx
18:07:31 wireless,info 00:0C:42:aa:bb:cc@wlan1: lost connection, got deauth: group key handshake timeout (16)
18:07:35 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx
18:07:40 wireless,info 00:0C:42:aa:bb:cc@wlan1: lost connection, got deauth: 4-way handshake timeout (15)
18:07:45 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx

Ok, signal maybe is not so good, but this problem happens also with Nanostation, which take minutes to reconnect, also after a power cycle.

lehonk · December 29, 2008, 2:15pm

Well, at least i have a direction to work in now. My next step would have been to change NICs, but I’ll trust in your experience.

kbyrd · April 3, 2009, 7:05pm

i got around this problem in a very complicated way, the problem appeared to be that the wds-slaves would try to connect to ap with default security profile but the ap side of the wds-slave would use the profile1 of the security profile.

there are 4 wds-slaves using profile1 and 1 ap bridge

when ap bridge is set to profile1 i get the key exchange timeout, so what i did was have the 4 wds-slaves set to profile1 with the wpa2 turned on and the ap bridge one set to default on security profiles and all 4 connect fine and pass traffic and you have to use the passkey to connect to the wds-slaves but the ap is set to wide open.

so now 4 work fine but main is not secure, so i did access-list rules to only allow the repeaters to connect to wlan1 interface and hid ssid on the ap-bridge and on the repeaters i put a connect-list to make the repeaters connect to the wlan1 with the mac address and another rule to not connect to anything else, then on the ap-bridge i created a virtual ap with the same ssid as wlan1 and set that security profile to profile1 and all is good.

now passkey works on all ap’s

if you can filter through all my ramblings it may make sense but its running with wds-slaves and wpa2 and basicly the main ap is set to default and the repeaters have a security profile. So it looks like the client side of wds-slave uses default and the ap side uses whatever you set in the wireless settings. it did work at first just comes and goes like its a bug that randomly uses the default or just doesnt use encryption.
ill do some test where instead of adding profile1 ill just edit default and see if it works.

cdiggity · April 6, 2009, 6:54am

I have never been able to get WDS aka ap-bridge mode and WPA (psk) to work on routeros 3.x. Windows can connect fine but mikrotik to mikrotik ap-bridge WPA-PSK can not, nor have I ever heard of anyone having it working. I think it is safe to say it’s broken! Feel free to prove me wrong.

This page: http://wiki.mikrotik.com/wiki/Mesh_wds shows a config for WPA-EAP which does seem to work for ap-bridge mode (after very brief testing) but windows clients complain they can’t find a certificate.

I wouldn’t call this thread dead, it is just a long standing defect in routeros. Lots of people seem to have this problem and the only answer to have windows clients and mikrotik WDS from the same SSID is to use WEP, which is only marginally better than no security at all.

uldis · April 6, 2009, 8:37am

WDS and WPA is working between two mikrotik routers.
First make sure that you have specified the correct security profile in the connect-list if you are using it.
Second, we recommend to use wds-mode=dynamic-mesh or static-mesh as it has better link establishemnt for WDS and with that WAP will work better. Note that those new WDS modes are not compatible with the old ones.

cdiggity · April 7, 2009, 4:37am

I am not using the connect list. I have the MAC addresses specified with wds mode static.

wds-mode=dynamic-mesh and static-mesh don’t appear in the manual nor can anyone find out anything them.

WDS using ap-bridge and wds-mode=static with WPA-psk does not work on mikrotik routeros. It is broken until someone can prove otherwise by providing a working example.

iddqd · June 18, 2009, 7:03pm

GREAT!! It work!
I suffered with this problem 3 days. Simply fine that has found a way out!
Here sample config I used:

#main AP
/interface wireless add name=mesh_static mac-address=00:0C:42:QQ:XA:ZZ ssid=mesh_static master-interface=wlan1
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=map1 master-interface=mesh_static wds-address=0:0C:42:QQ:XB:ZZ disabled=no ;
/interface wireless wds add name=map2 master-interface=mesh_static wds-address=0:0C:42:QQ:XC:ZZ disabled=no ;
/interface wireless wds add name= map3 master-interface=mesh_static wds-address=0:0C:42:QQ:XD:ZZ disabled=no ;

#map1
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XB:ZZ ssid=mesh_static master-interface=wlan1
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

#map2
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XC:ZZ ssid=mesh_static master-interface=wlan1
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

#map3
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XD:ZZ ssid=mesh_static master-interface=wlan1
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

cdiggity · August 21, 2009, 10:59pm

The solution to this problem was to use the SAME SSID on all the APs.

For the static/dynamic-mesh modes the same SSID must be used as noted in the wiki they don’t support “WDS IGNORE SSID”.

I have also found that static/dynamic WDS modes won’t work with WPA unless the same SSID is used, regardless of the “WDS IGNORE SSID” checkbox.

cdiggity · January 22, 2010, 12:13am

I’ve found that using dynamic-mesh for WDS with WPA encryption does ‘work’, but isn’t useable: the links frequently reset with messages like “no beacons received” or “class 2 frame received (6)” even when there are no clients around to connect to the APs.

I’ve Changed some radios from AP-bridge to station-wds and the links do not reset for months. Of course now clients can’t connect to those radios.

while it is possible to do WDS with WPA in theory, in practice it doesn’t work well enough.

Thought I’d better post what I have discovered to save someone else 1.5 years of frustration.

pastranini · July 1, 2010, 8:11pm

HI i have the same problem.

If the link has not security the link works great.

Im using wpa2 and the link is good for 1 or 2 hours, but inmeadeatly falls down.

I use wep, wpa, and suddenly the log shows the message unicast key exchange timeout.

I am thinking to change the cards, I dont not how solve this problem.

Advicess ¡¡¡¡¡

thejinx · May 7, 2011, 11:37am

exact the same problem and no solution

enk · May 8, 2011, 8:23am

Sometimes “unicast key exchange timeout” happens when time is not synchronized between APs. Use NTP for this purpose.

thejinx · May 11, 2011, 11:34am

i try it and no way to get a better link

bridge --------- station perfect link, no AP
ap-bridge ------ station-wds work with encryption, need AP functions, 2-3 reconnects per week

ap-bridge ------ ap-bridge work with no encryption
ap-bridge ------ slave-wds failed to select channel, no link
ap-bridge ------ ap-bridge (WPA or WPA2) unicast key exchange timeout

singal at -70
CCQ 98-100%
it is definitly a ROS problem

is it not possible to get a working WDS with ap-bridge (WPA PSK) mode ?

kalamees · August 22, 2011, 9:14am

Same problem here. My only solution was to use mac autentification since our organisation is small but it is not working now. How to fix this???

uldis · August 23, 2011, 9:31am

what problem exactly you have? What is your setup?

kalamees · August 30, 2011, 8:11am

Some clients are able to connect but most of them can only connect through mac registration tables. We had couple of new computers coming and but now they cant connect even through registration table authentication. It says “unicast key exchange timeout” on router and invalid password on client. They are using intel 3945 wireless cards with tkip ciphers.

Any help would be greatly appreciated.

Posted my configuration here

0  R name="wlan1" mtu=1500 mac-address=00:0C:42:18:95:A7 arp=enabled 
      interface-type=Atheros AR5413 mode=ap-bridge ssid="EYL-2.4G" 
      frequency=2412 band=2.4ghz-b/g scan-list=default antenna-mode=ant-a 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=wpa compression=no

0 name="default" mode=none authentication-types="" unicast-ciphers="" 
   group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" 
   supplicant-identity="EYL-VS-01" eap-methods=passthrough 
   tls-mode=no-certificates tls-certificate=none static-algo-0=none 
   static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none 
   static-key-2="" static-algo-3=none static-key-3="" 
   static-transmit-key=key-0 static-sta-private-algo=none 
   static-sta-private-key="" radius-mac-authentication=no 
   radius-mac-accounting=no radius-eap-accounting=no interim-update=0s 
   radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username 
   radius-mac-caching=disabled group-key-update=5m 
   management-protection=disabled management-protection-key="" 

 1 name="wpa" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk 
   unicast-ciphers=tkip group-ciphers=tkip wpa-pre-shared-key="*******" 
   wpa2-pre-shared-key="********" supplicant-identity="EYL-VS-01" 
   tls-mode=no-certificates tls-certificate=none static-algo-0=none 
   static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none 
   static-key-2="" static-algo-3=none static-key-3="" 
   static-transmit-key=key-0 static-sta-private-algo=none 
   static-sta-private-key="" radius-mac-authentication=no 
   radius-mac-accounting=no radius-eap-accounting=no interim-update=0s 
   radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username 
   radius-mac-caching=disabled group-key-update=5m 
   management-protection=disabled management-protection-key=""