Issue with FT

nonolk · January 31, 2024, 7:56am

Hello,

I’m running the latest beta version 7.14 beta8 since nearly a week, and it looks like it is working mostly fine, roaming is working fine for all my devices, except one where I see several messages like this one:

 wifi5_5 assocation rejected, invalid FT IEs

This is when wireless debug topic is activated, otherwise I just see the « good » SA query timeout.

My wifi network is composed of 3 ax2, 1 ax lite and 1 cap-acxl, this happening only when this device tries to roam.

So I I have 3 questions:

What does is means (I did a Google search and found some sources speaking about FT) ?
Is there something to try to avoid such kind of errors ?
Should I open a support ticket ?

Thank you for your help.

erlinden · January 31, 2024, 8:33am

I added connect-priority 0/1 to get rid of the SA Query timeout. Did you set it?
This setting can be found in /interface/wifi/security/

infabo · January 31, 2024, 9:21am

If only one device is not working I would look for the error on the client device - not the access point - in first place.

So it looks like the FT Information Elements (IEs) provided by the client to the AP are invalid. No further information what’s wrong.

I assume your capsman config is correct (security configuration, etc.).

Maybe hand over a supout.rif to Mikrotik support, give detailled infos on your failing device (device model, operating system and version) and maybe they can assist you in troubleshooting. Or it is really a bug they can fix.

nonolk · January 31, 2024, 6:45pm

@erlinden, I already applied this since a while (but thank you for answering)
@infabo, I managed to go bit further, as I found that disabling wpa3-psk (just letting wap2-psk) seems to improve the situation.

@mikrotik could you tell me/us what’s FT IEs is ? For knowledge only

@all thank you for reading.

infabo · January 31, 2024, 6:57pm

Found a technical article: https://mrncciew.com/2014/09/06/cwsp-802-11r-ft-association/

nonolk · January 31, 2024, 8:03pm

@Infabo thank you for the link really interesting.

So FT IE = Fast BSS Transistion Information Element so it seems this device do not like wpa3 and FT in this case.

@mikrotik is this worth making a support ticket ?

denissMT · November 14, 2024, 2:53pm

Check testing release tree:
https://mikrotik.com/download/changelogs
What’s new in 7.17beta5 (2024-Nov-13 12:51):
*) wifi - improved FT roaming with WPA3 for some Apple devices;

try this firmware.

nonolk · November 14, 2024, 3:24pm

@denissMT thank you I will do it tonight, and report the results

nonolk · November 18, 2024, 1:54pm

@denissMT, indeed it seems to works better. I don’t see these errors anymore.

Sadly I found another “issue” since I activated wpa3 again, wifi calling feature seems to flap.

I mean by this, “Carrier wifi-calling” desappears for some minutes and then appears again. Of course I did a “forgot network” and restarted the phone, nothing helped.

Tested on 3 diffrents iphones (11/12/13) all running ios 18.1 and 2 diffrents carriers.

The only thing solving this issue is to remove wpa3-psk and let only wpa2-psk, any ideas ?

Best regards,

erlinden · November 18, 2024, 3:11pm

Can you share your current wifi settings?

/interface wifi export

Remove serial and any other private info and post between code tags by using the </> button.

nonolk · November 18, 2024, 5:54pm

@erlinden, here it is:

# 2024-11-18 18:11:46 by RouterOS 7.17beta5



/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disable-pmkid=\
    yes disabled=no ft=yes ft-over-ds=yes name=redacted_net wps=disable
add authentication-types=wpa-psk,wpa2-psk connect-priority=0 disable-pmkid=\
    yes disabled=no name=redacted_iot wps=disable
/interface wifi configuration
add country=France disabled=no dtim-period=3 mode=ap name=redacted.net \
    security=redacted_net security.connect-priority=0/1 ssid=redacted.net
add disabled=no dtim-period=3 mode=ap name=redacted_iot security=redacted_iot \
    security.connect-priority=0/1 ssid=redacted_iot
/interface wifi
add channel.frequency=2462 .width=20mhz configuration=redacted.net \
    configuration.mode=ap disabled=no name=Cap-GarageExt radio-mac=\
    18:FD:
add configuration=redacted_iot disabled=no mac-address=1A:FD: \
    master-interface=Cap-GarageExt name=Cap-GarageExt2
add channel.frequency=5580 configuration=redacted.net configuration.mode=ap \
    .tx-power=19 disabled=no mtu=1500 name=Cap-GarageExt5 radio-mac=\
    18:FD:
add channel.frequency=2462 .width=20mhz configuration=redacted.net \
    configuration.mode=ap disabled=no name=Hap-Bureau radio-mac=\
    48:A9:
add configuration=redacted_iot disabled=no mac-address=4A:A9: \
    master-interface=Hap-Bureau name=Hap-Bureau2
add channel.frequency=5260 configuration=redacted.net configuration.mode=ap \
    .tx-power=13 disabled=no mtu=1500 name=Hap-Bureau5 radio-mac=\
    48:A9: security.connect-priority=0
add channel.frequency=2412 .width=20mhz configuration=redacted.net \
    configuration.mode=ap disabled=no name=Hap-BureauChou radio-mac=\
    48:A9:
add configuration=redacted_iot disabled=no mac-address=4A:A9: \
    master-interface=Hap-BureauChou name=Hap-BureauChou2
add channel.frequency=5500 configuration=redacted.net configuration.mode=ap \
    .tx-power=18 disabled=no name=Hap-BureauChou5 radio-mac=48:A9:
add channel.frequency=2412 .width=20mhz configuration=redacted.net \
    configuration.mode=ap disabled=no name=Hap-Garage radio-mac=\
    48:A9:
add configuration=redacted_iot disabled=no mac-address=4A:A9: \
    master-interface=Hap-Garage name=Hap-Garage2
add channel.frequency=2437 .width=20mhz configuration=redacted.net \
    configuration.mode=ap disabled=no name=Hap-Salon radio-mac=\
    48:A9:
add configuration=redacted_iot disabled=no mac-address=4A:A9: \
    master-interface=Hap-Salon name=Hap-Salon2
add channel.frequency=5180 configuration=redacted.net configuration.mode=ap \
    disabled=no name=Hap-Salon5 radio-mac=48:A9:
/interface wifi capsman
set enabled=yes interfaces=vlan1 package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled comment=Hap-Garage disabled=no \
    master-configuration=redacted.net name-format=Hap-Garage radio-mac=\
    48:A9: slave-configurations=redacted_iot supported-bands=2ghz-n
add action=create-enabled comment="Hap-Bureau 2.4Ghz" disabled=no \
    master-configuration=redacted.net name-format=Hap-Bureau radio-mac=\
    48:A9: slave-configurations=redacted_iot supported-bands=2ghz-n
add action=create-enabled comment="Hap-Bureau-Chou 5Ghz" disabled=no \
    master-configuration=redacted.net name-format=Hap-BureauChou5 radio-mac=\
    48:A9: supported-bands=5ghz-ax
add action=create-enabled comment="Hap-Bureau-CHou 2.4Ghz" disabled=no \
    master-configuration=redacted.net name-format=Hap-BureauChou radio-mac=\
    48:A9: slave-configurations=redacted_iot supported-bands=2ghz-n
add action=create-enabled comment=Hap-Bureau disabled=no \
    master-configuration=redacted.net name-format=Hap-Bureau5 radio-mac=\
    48:A9: supported-bands=5ghz-ax
add action=create-enabled comment=Garage-ext disabled=no \
    master-configuration=redacted.net name-format=Cap-GarageExt radio-mac=\
    18:FD: slave-configurations=redacted_iot supported-bands=2ghz-n
add action=create-enabled comment="Garage_ext 5ghz" disabled=no \
    master-configuration=redacted.net name-format=Cap-GarageExt5 radio-mac=\
    18:FD: supported-bands=5ghz-ac
add action=create-enabled comment=Hap-Salon disabled=no master-configuration=\
    redacted.net name-format=Hap-Salon radio-mac=48:A9: \
    slave-configurations=redacted_iot supported-bands=2ghz-n
add action=create-enabled comment="Hap-Salon 5 Ghz" disabled=no \
    master-configuration=redacted.net name-format=Hap-Salon5 radio-mac=\
    48:A9: supported-bands=5ghz-ax

nz_monkey · November 19, 2024, 5:22am

On my cAP ax network, Roaming used to work perfectly for me on 7.13.x then I upgraded to 7.16 and it became very flaky. I eventually noticed the new FT Preserve VLAN ID setting and enabled it, which fixed the roaming issues until I upgraded to 7.17beta5 and they came back.

My issue is that the client device will work perfectly on the AP it initially connects to, but when it roams to another AP traffic stops. I assume this is related to the new AP not tagging the frames from the wireless interface with the correct VLAN ID but I have not yet had the time to run packet captures.

massinia · November 19, 2024, 10:13am

https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-SecurityProperties

FT Preserve VLAN ID
yes (default) - when a client connects to this AP via 802.11r fast BSS transition, it retains the VLAN ID, which it was assigned during initial authentication

It should already be active by default, no need to activate it… the problem is probably another.

nz_monkey · November 19, 2024, 1:26pm

Changing this definitely fixed it on 7.16. I’ll log a support ticket with supout’s, and packet captures.