hAP ac lite unstable 5GHz link, group key exchange timeout

njl · September 27, 2020, 6:29pm

I have been using a hAP ac as an access point for a while and recently picked up a hAP ac lite to extend wireless coverage. I’m using the AC as an ap bridge and the AC lite as a station bridge connecting to it. Connecting the two via a 5 GHz link and the link constantly goes down and comes back up again a few minutes later. Sometimes the link stays up 10 minutes before dropping, other times up to an hour. When this happens the AC lite (station) logs always have

48:8F:5A:22:94:B6@wlan2: failed to connect, on 5180/20-Ceee/ac/P(21dBm), authentication timeout
48:8F:5A:22:94:B6@wlan2: lost connection, received deauth: group key handshake timeout (16)
48:8F:5A:22:94:B6@wlan2: failed to connect, on 5180/20-Ceee/ac/P(21dBm), authentication timeout

and the AC (access point) has

48:8F:5A:5A:BE:0C@wlan2: disconnected, group key exchange timeout

so it seems like some kind of auth timeout. I’m using a normal WPA2 PSK profile with basically all of the defaults. The AP has worked well with other (non-MikroTik) clients for a long time.

This only happens with the 5 GHz link, if I use a link between the wlan1’s on 2.4 GHz using the same security profile, it’s stable and the link never drops. Both of these devices are in the same room right now, running 6.46.7, a few meters apart with signal strength around -50 dBm.

I think the problem is entirely in the AC lite because if I use it as a 5 GHz access point it drops clients in a similar way. I actually returned and exchanged the first AC lite I had for another one because I thought I just had a defective unit, but the replacement has the same behavior.

What do I need to do to get a useful 5 GHz link with this thing? I chose it specifically for dual band so as-is it’s not that useful to me.

erlinden · September 30, 2020, 5:35am

Could you please share your configuration:
/export hide-sensitive file=whatevernameyoulike

njl · October 1, 2020, 2:49pm

Sure,

# oct/01/2020 07:36:29 by RouterOS 6.46.7
# software id = MRST-7UQX
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0C999B37
/interface bridge
add admin-mac=48:8F:5A:5A:BE:08 auto-mac=no name=bridge
/interface l2tp-client
add connect-to=XXXXXXX disabled=no keepalive-timeout=disabled max-mru=\
    1400 max-mtu=1400 name=l2tp1 use-ipsec=yes user=XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=connect_profile \
    supplicant-identity=MikroTik
add management-protection=allowed name=open supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=hotspot supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=do-not-connect supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states3" \
    disabled=no distance=indoors frequency=2452 hide-ssid=yes installation=\
    indoor mode=ap-bridge security-profile=do-not-connect ssid=do-not-connect \
    station-roaming=enabled wireless-protocol=802.11
add disabled=no mac-address=4A:8F:5A:5A:BE:0D master-interface=wlan1 name=\
    wlan1-ap ssid=spud-2 station-roaming=enabled wds-default-bridge=bridge \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country="united states3" disabled=no distance=indoors \
    hide-ssid=yes installation=indoor mode=ap-bridge security-profile=\
    do-not-connect ssid=do-not-connect station-roaming=enabled \
    wireless-protocol=802.11
add disabled=no mac-address=4A:8F:5A:5A:BE:0C master-interface=wlan2 name=\
    wlan2-ap ssid=spud-5 station-roaming=enabled wds-default-bridge=bridge \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool2 ranges=192.168.189.128/26
/ip dhcp-server
add address-pool=pool2 disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1-ap
add bridge=bridge interface=wlan2-ap
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=wlan1 list=WAN
add interface=wlan2 list=WAN
/ip address
add address=192.168.189.1/24 comment=defconf interface=bridge network=\
    192.168.189.0
/ip dhcp-client
add disabled=no interface=ether1
add disabled=no interface=wlan1
add disabled=no interface=wlan2
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.189.0/24 gateway=192.168.189.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.189.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "fasttrack DISABLED because it impacts VPN throughput" connection-state=\
    established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=routevpn passthrough=\
    no src-address=192.168.189.128/26
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=l2tp1 routing-mark=routevpn
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=spud
/system logging
add prefix=debug topics=wireless
/system package update
set channel=long-term
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN