CRS326 with RouterOS 7: ~5s SSH Delay Before Authentication – Anyone Seen This?

Hi everyone,

I’m seeing a consistent issue on my MikroTik CRS326 running RouterOS 7:

• SSH connections always stall for ~5–5.5 seconds right after SSH2_MSG_SERVICE_ACCEPT, before any username/password prompt.

• Warmup connections, repeated attempts, or different SSH clients make no difference.

• Persistent SSH connections (like ControlMaster or autossh) work instantly after the first connection.

• I have two other MikroTik devices (RB4011 and RB960) on the same network. SSH to these works instantly, every time.

• Winbox works instantly on all three devices, including the CRS326.

• Ping and other protocols show normal network latency, so it’s not a general network issue.

• I tried upgrading to the latest beta since it says it has ssh improvements, but no dice.

• Resource usage is very low

I’ve confirmed that the 5s delay happens exactly between service accept and authentication using ssh -vvv.

I’ve searched online but haven’t found any official MikroTik ticket or forum thread describing this exact symptom.

Any insights, experiences, or references to official docs or tickets would be much appreciated!

[vic@CRS326-Switch] > /system resource print
                   uptime: 6m52s              
                  version: 7.21beta5 (testing)
               build-time: 2025-10-30 13:16:46
         factory-software: 6.41               
              free-memory: 445.7MiB           
             total-memory: 512.0MiB           
                      cpu: ARM                
                cpu-count: 2                  
            cpu-frequency: 800MHz             
                 cpu-load: 2%                 
           free-hdd-space: 1196.0KiB          
          total-hdd-space: 16.0MiB            
  write-sect-since-reboot: 50                 
         write-sect-total: 16935              
        architecture-name: arm                
               board-name: CRS326-24G-2S+     
                 platform: MikroTik           
[vic@CRS326-Switch] > /system routerboard print
       routerboard: yes           
             model: CRS326-24G-2S+
     serial-number: 94560A7DCD59  
     firmware-type: dx3230L       
  factory-firmware: 6.42.11       
  current-firmware: 7.21beta5     
  upgrade-firmware: 7.21beta5     
[vic@CRS326-Switch] > /ip ssh print
                           ciphers: auto         
                forwarding-enabled: no           
           password-authentication: yes-if-no-key
  publickey-authentication-options: none         
                     strong-crypto: no           
                     host-key-size: 2048         
                     host-key-type: rsa          
[vic@CRS326-Switch] > /tool profile duration=10
Columns: NAME, USAGE
NAME             USAGE
networking       0.2% 
management       0.5% 
console          0%   
bridging         0%   
kernel           1.2% 
prestera_dx_mac  0%   
led              0.5% 
total            2.4% 

As for the “its always DNS” axiom, I tried with my local DNS (pihole/unbound) and with cloudflare DNS. Same result.

I also tried setting a static entry for my machine in the switch dns and it didnt help

[vic@CRS326-Switch] > /ip dns static print 
Columns: NAME, TYPE, ADDRESS, TTL
# NAME                  TYPE  ADDRESS     TTL
0 mac-mini-workstation  A     10.0.10.41  1d

haven't tried this beta yet,
but if I remember correctly, they intentionally added a delay somewhere in the changelog to avoid brute-force attacks?

The device was at 7.19 when I first started troubleshooting, upgraded to 7.20 and this beta to see if it helps.

I just tested some RB952s and they also dont have the issue, seems to be something with the CRS.

Only troubleshooting step I have left is to nuke it and rebuild to see if that fixes it, but trying to see if someone else has the issue before I do that.

re-generate your ssh host-keys

Tried that before, just tried again and still no luck