SA Query Timeout (another topic)

Josephny · Thu Aug 24, 2023 12:46 pm

Upgrade to 7.12beta1 on hAPax3 and getting repeated "SA Query Timeout" disconnects.

Tried disabling steering, but it didn't help.

Here's the wireless sections of an export.

Thank you.

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz configuration.country="United States" .mode=\
    ap .ssid=76-5ghz disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk steering.rrm=no .wnm=no
set [ find default-name=wifi2 ] channel.band=2ghz-g .skip-dfs-channels=\
    disabled .width=20mhz configuration.country="United States" .mode=ap \
    .ssid=76-2ghz disabled=no security.authentication-types=wpa2-psk \
    steering.rrm=no .wnm=no

/interface wifiwave2
add configuration.country="United States" .mode=ap .ssid=2point4 disabled=no \
    mac-address=1A:FD:74:FE:87:EA master-interface=wifi2 name=2point4 \
    security.authentication-types=wpa2-psk steering.rrm=no .wnm=no
add configuration.country="United States" .mode=ap .ssid=Guest disabled=no \
    mac-address=1A:FD:74:FE:87:E8 master-interface=wifi1 name=Guest-wifi1 \
    security.authentication-types=wpa2-psk,wpa3-psk steering.rrm=no .wnm=no
add configuration.country="United States" .mode=ap .ssid=Guest disabled=no \
    mac-address=1A:FD:74:FE:87:E9 master-interface=wifi2 name=Guest-wifi2 \
    security.authentication-types=wpa2-psk steering.rrm=no .wnm=no

/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=common-auth wps=disable

İmposss · Thu Aug 24, 2023 2:43 pm

same problem. i am waiting for solution

gigabyte091 · Thu Aug 24, 2023 2:44 pm

Is there any reason why for 2.4 GHz wireless you use only g standard and not ax ? How frequent are SA Query Timeouts ? Can you copy paste log here ?

İmposss · Thu Aug 24, 2023 3:24 pm

This happens in clients roaming between two 5ghz APs. Unable to connect to network without disconnecting and reconnecting. During this break, the message "disconnected, SA Query timeout, signal strength -54" appears. Roaming is not working.

My config:viewtopic.php?t=198641#p1019404

Josephny · Thu Aug 24, 2023 3:32 pm

I use 802.11g because I have IoT devices (Sonoff, Shelly) that are finicky and this provides the greatest reliability. I very well could be wrong, but they are working, and I don't feel like opening yet another technology war front, so I'll stay with G until I am extra bored.

Interesting analysis that the SA Query Timeouts happen when roaming between two 5ghz APs. That is definetly not what's happening for me because there is only one 5ghz AP in the area.

Could it be that it happens when a client's device changes between 5ghz and 2ghz (same SSID, same physical AP)?

gigabyte091 · Thu Aug 24, 2023 4:32 pm

Did you try to disable WPA3 ? That was problem in earlier versions of ROS.

İmposss · Thu Aug 24, 2023 5:34 pm

Did you try to disable WPA3 ? That was problem in earlier versions of ROS.

i tried, problem is not solved

Josephny · Thu Aug 24, 2023 6:22 pm

Did you try to disable WPA3 ? That was problem in earlier versions of ROS.

I just tried it also and the SA Query Timeout message still occurs.

Urd · Thu Aug 24, 2023 6:59 pm

I Could it be that it happens when a client's device changes between 5ghz and 2ghz (same SSID, same physical AP)?

As far as I can see your SSIDs are different for 2.4 and 5 GHz.
I'm in a same boat as you. 2 WLans (2.4 and 5 GHz, different SSIDs), 2 clients on 5 GHz, 2 on 2.4. One of clients on 2.4 disconnects continuously through ~10 minutes with "SA Query timeout". Before ax3 there was hAP ac (RB962UiGS-5HacT2HnT) on last LTS ROS 6.48.6 with zero issues. Tried everything, dug through all of the related topics in this forum with no success. Won't even bother to fill support ticket, there is no point to count on company, unable to release LTS version of one of their major products for more than 20 months (v.7.1 is released on 2021-Dec-01). It's just that this device (hAP ax3) will be the last one I buy where Mikrotik and WiFi co-exist.

martinii · Mon Aug 28, 2023 6:48 pm

I also tried disable steering but no luck... Well I feel it doesn't matter what I do - it always doesn't work... On hAP ac lite no problems, on ax2 it still doesn't work...

Mon Aug 28, 2023 7:31 pm

I also tried disable steering but no luck... Well I feel it doesn't matter what I do - it always doesn't work... On hAP ac lite no problems, on ax2 it still doesn't work...

No need to double post...

gigabyte091 · Tue Aug 29, 2023 6:34 am

I tried on my ax2 and I can't reproduce the error... One more advice, this is what helped me when I had problems with older versions of ROS, try to put only WPA3.

I created SSID that had only WPA3 enabled and I didn't had any problems then. Problem was only when WPA2/3 was used.

Josephny · Tue Aug 29, 2023 11:20 am

I'm leaning more and more towards these problems ("SA Query Timeout" and "4-way handshake timeout" and "Group Key exchange timeout" and "Unicast key exchange timeout" and "Sending station leaving") being more of a signal strength and signal reliability issue on the client device side.

Yesterday my Shelly Uni and Sonoff THR10 and THR316 worked great.

Last evening around 22:40 (10:40pm), with zero changes to the MT config, I started getting the timeout messages.

The only thing that changed (except the weather, which remained clear (no precipitation) but got chilly) is that these devices are powered by solar (panels; controller/charger; batteries) and the voltage dropped to 11.9v.

Screenshot 2023-08-29 041441.jpg

Josephny · Tue Aug 29, 2023 5:11 pm

The plot thickens:

After some number of failed attempts at staying connected, or at connecting, or some amount of time below 12 volts, the Shelly Uni resets to factory default settings.

This of course requires physically going to the Uni's location to configure the wifi settings again and stops the Uni from any further connection wifi attempts.

Urd · Tue Oct 10, 2023 1:04 pm

I had some spare time to 'dig' here more deeply. It's obvious that the problem is related to some issue with Management Frame Protection (802.11w). As it mentioned at WifiWave2 wiki current management frame protection implementation is incompatible with the one implemented in the standard wireless package (whatever this means). Since we don't have a way to tune SA Querry Timeout and Comeback Timer (as it's done in some Cisco devices) - I disabled it. Yes, I'm aware this is a security flaw. I haven't had a single SA Query Timeout since disabling it, so... bad approach, but still solves a worse problem.

gigabyte091 · Tue Oct 10, 2023 4:00 pm

Well if it works for you, and you are aware of security risk then why not turn it off, I mean in home application it's better that way... Less dropouts and unhappy family members

Josephny · Tue Oct 10, 2023 7:18 pm

That's great troubleshooting.

Could you explain in detail how to disable it?

Thanks!

gigabyte091 · Tue Oct 10, 2023 8:00 pm

You can find it under interface security settings. Go to Winbox - > Wireless -> WiFi Wave2, security tab and select profile you created for your network, There you can find this:

Mgmt_protection.jpg

Neolo · Sat Mar 02, 2024 2:13 am

You can find it under interface security settings. Go to Winbox - > Wireless -> WiFi Wave2, security tab and select profile you created for your network, There you can find this:

Mgmt_protection.jpg

Disabled state is not allowed when WPA3 is enabled, even if WPA2 is enabled alongside too. Not solving a problem. Persists in 7.14.

Urd · Tue Mar 12, 2024 3:26 pm

With WPA3, Protected Management Frames should be required or allowed, so you can either use WPA2 with PMF disabled, or use WPA3, which requires the use of PMF. As I mentioned in my previous post, this is a security risk, but the decision to take it or not is a personal one. If you insist on using WPA3, you have to put up with possible 'SA Query Timeout' disconnects. I got the impression that the problem occurs on older devices (802.11 b/g/n) where WPA3 (it should work with 802.11 ax devices, but it isn't a must for older ones) is not suitable at all (certainly that was my case), so disabling PMF, when WPA2 is used for authentication was a non-proper, but still working approach.

SA Query Timeout (another topic)

SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Re: SA Query Timeout (another topic)

Who is online