We have HAP AX3 that has had wifi issues since being installed.
All things on the wifi drop off and if any user tries to reconnect they get told the password is wrong, the only solution is to reboot the router. Even if you disable and re-enable the wifi interfaces, this won’t kick the connection back in.
The router has been firmware 7.10 which I understand should sort this issue for a lot of people, but it’s made no difference at all
The only thing showing in the logs when I looked was key handshake timeout on loads of devices . I have added to the interface security for both connections group key update to 1 hour as reading through the forums I see this had helped a lot of people but this has made no difference at all.
The customer is getting quite annoyed and I don’t blame him to be fair but anyone else got any clues? I also include an export of the config excluding personal stuff
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration.country="United Kingdom" .mode=\
ap .ssid=MikroTik-972832 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .group-key-update=1h
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.country="United Kingdom" .mode=ap \
.ssid=MikroTik-972833 disabled=no security.authentication-types=\
wpa-psk,wpa2-psk .group-key-update=1h
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
use-peer-dns=yes user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des lifetime=1h pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=3d name=defconf
/port
set 0 name=serial0
/system logging action
set 1 disk-file-count=9
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
/ip address
add address=192.168.1.254/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-WAN1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.254 gateway=\
192.168.1.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=jump chain=input comment="Jump to ICMP Chain" jump-target=ICMP \
protocol=icmp
add action=accept chain=input comment="Accept established, related connections" \
connection-state=established,related
add action=accept chain=input comment="Access from bridge" in-interface=bridge
add action=accept chain=input comment="remote access to MT" dst-port=\
22,80,6009,8291 in-interface=all-ppp protocol=tcp src-address-list=\
remote_access
add action=accept chain=input comment="VPN - IPSEC ESP" disabled=yes \
in-interface=all-ppp protocol=ipsec-esp
add action=accept chain=input comment="VPN - L2TP over IPSEC" disabled=yes \
dst-port=500,1701,4500 in-interface=all-ppp protocol=udp
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment=\
"Accept established, related connections" connection-state=\
established,related
add action=accept chain=forward comment="Forward bridge" in-interface=bridge \
out-interface=all-ppp
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward comment="Drop everything else except dst-nat" \
connection-nat-state=!dstnat connection-state=new
add action=accept chain=ICMP comment="Allow Echo Reply" icmp-options=0:0 limit=\
50,5:packet protocol=icmp
add action=accept chain=ICMP comment="Allow Echo Request" icmp-options=8:0 \
limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="Allow Traceroute TTL Exceeded" \
icmp-options=11:0 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="Allow Traceroute Port Unreachable" \
icmp-options=3:3 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment=\
"Allow Traceroute PMTUD (Fragmentation Required)" icmp-options=3:4 limit=\
50,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop all other types of ICMP"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default out" out-interface=\
pppoe-out1
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=SSL disabled=no port=6009
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system identity
set name=Mac-Gateway
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks