Winbox (both of them) keep disconnecting on an hAP AX2

dustojnikhummer · January 10, 2025, 5:08pm

Picked up a “new old stock” hAP AX2. Doesn’t seem to be used, but also without any warranty.

My issue is that Winbox won’t stay connected. Either 3.41 or 4_beta16. LOG says user connected/disconnected, Winbox4 will say “Decrypt failed”. Legacy mode in Winbox3 doesn’t help. Sometimes it disconnects immediately, sometimes after clicking around, almost always when typing “print” into Terminal.

Tried to downgrade from 7.16.2 to 7.15.3 (where my other hAP AX2 is, in case it was a 7.16 issue) and nothing.
WebFig works without problems but I just prefer RouterOS.
SSH sometimes disconnects with “message authentication code incorrect”

Right now I’m using at as a WiFi AP only and that is stable, no issues there, it’s just Winbox.

Any ideas?

[tomsikr@KTAP1] /system/routerboard> print
       routerboard: yes
        board-name: hAP ax^2
             model: C52iG-5HaxD2HaxD
     serial-number: HEH0[redacted]
     firmware-type: ipq6000
  factory-firmware: 7.8
  current-firmware: 7.16.2
  upgrade-firmware: 7.15.3

[tomsikr@KTAP1] > export hide-sensitive 
# 2025-01-10 17:20:50 by RouterOS 7.15.3
# software id = MJ5Y-ZF9S
#
# model = C52iG-5HaxD2HaxD
# serial number = HEH0[redacted]
/interface bridge
add name=br0
/interface wifi
# DFS channel availability check (1 min)
set [ find default-name=wifi1 ] configuration.country=Czech .mode=ap .ssid=Tomsik_5G disabled=no security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration.country=Czech .mode=ap .ssid=Tomsik_2G disabled=no security.authentication-types=wpa2-psk
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=br0 interface=wifi1
add bridge=br0 interface=wifi2
add bridge=br0 disabled=yes interface=ether1
add bridge=br0 interface=ether2
add bridge=br0 interface=ether3
add bridge=br0 interface=ether4
add bridge=br0 interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=br0 list=LAN
/ip address
add address=10.0.1.2/24 interface=br0 network=10.0.1.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dns
set servers=10.0.1.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=KTAP1
/system note
set show-at-login=no

dustojnikhummer · January 24, 2025, 4:46pm

Is there nobody who could help me? I just tried Netboot reinstall of 7.17 and it didn’t change anything.

jaclaz · January 24, 2025, 5:37pm

Winbox BOTH by MAC and IP?

I would try assigning manually a MAC to the bridge, maybe it is unrelated, still it won’t make any harm:
http://forum.mikrotik.com/t/bridge-auto-mac-issue/162131/1

Another thing to try is to put a (dumb) switch between your PC and the AX2, it is one of those mysterious things that sometimes help in connection.

And if you don’t need it, taking a port out of the bridge and reserve it to Winbox management is a common practice, in your simple configuration it is not needed, but if you start fiddling with bridge settings it is easy to get locked out.

dustojnikhummer · January 24, 2025, 5:42pm

Hi, yes, over both. The AX2 is connected through my AC2, for now only acting as an access point.

I do have an update though: I managed to netinstall 7.8 and that seems to be stable. I upgraded to 7.13.5 (just the OS, not the routerboard firmware) and it also seems to be fine. I would like to find out why it happens on 7.15 and higher (what I tested in the past). My other AX2 doesn’t have any issues, currently on 7.16.2.

Let me find my dumb Mercusys switch and I will test that theory.

jaclaz · January 24, 2025, 5:46pm

Maybe going again through the factory version did reset something that was mis-ported during one of the past updates.

dustojnikhummer · January 24, 2025, 6:13pm

Or maybe I have a revision that changed something in the config. I wonder if verbose export would have any differences. I mean, it shouldn’t, right?

dustojnikhummer · January 24, 2025, 6:34pm

Okay, so 7.14.3 is also fine. But 7.15.2 is busted. I went through the verbose export (with every setting on default except IP on eth1 so I can access webfig) and I can see nothing that would cause this. Only minor settings with like SMB, OpenVPN default config and that sort of thing.

Well, for now I will have to stay at 7.14.3. Thanks!

jaclaz · January 24, 2025, 6:51pm

It remains “strange”, even if it happens only on some particular versions the Ax2 is a common device and 7.15.2 is old enough that should have already been some reports.
The good news are that 7.14.3 seems like a very stable version for wi-fi issues.

dustojnikhummer · January 24, 2025, 9:58pm

I have a third AX2 coming in next week. Also used, but under warranty this time. I hope it doesn’t happen on that one. But yeah, at least a stable build works just fine now. I just wonder what the “decryption failed” means in Winbox4. I mean it’s clearly related to the encrypted Winbox traffic, but I have not seen that error code anywhere, no documentation for it etc. Winbox3 just logs out.

dustojnikhummer · May 1, 2025, 8:11pm

So yeah, the third one doesn’t have this issue. I “solved” the issue by keeping it on 7.14.3

dustojnikhummer · September 18, 2025, 8:23pm

In case someone stumbles upon this, I have replaced the affected router, cleared config and upgraded it to 7.19.6 and it seems the issue is now gone!

dustojnikhummer · September 18, 2025, 8:51pm

Another update, unfortunately not. Trying to "export verbose" crashes Winbox and SSH Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to 172.17.0.2 port 22: message authentication code incorrect

jaclaz · September 19, 2025, 11:02am

Maybe, even if it can be a PITA, you could try netinstall to "nuke" everything and re-install the RouterOS really from scratch.
It has been reported several times that some cruft may remain in storage when doing simple upgrades, confioguration restores, etc., that builds up and can create issues.

dustojnikhummer · September 19, 2025, 7:52pm

I have done complete Netinstall back in January, I doubt it would be any different now. I feel it has to be a hardware defect. Maybe something regarding SSL changed in ROS 7.15 and the CPU has enough damage for it to be crashing on that?

jaclaz · September 19, 2025, 9:12pm

It doesn't sound like a CPU hardware issue, in a CPU the same operation/path/junction/opcode/whatever Is used by many different "high level" OS commands, i.e. your router would crash much more frequently, on many commands.

It seems more similar with what can happen if a page of RAM or a block of storage Is defective.
If It was Ram, It would probably also be more frequent.
But - in theory at least - with wear leveling and self check algorithms in modern chips, it should not happen on storage, unless it is completely worn down.

If It was a different device the attempt to do would be a disk wipe and check, but this Is not possible on Mikrotiks AFAIK (short of desoldering the chip, work on It externallly and then resoldering It).

The storage chip can be replaced, but , since the RouterOs license is tied to its id/serial, you would need a new license, which cost needs to be added to the cost for the chip and the actual repair work, so hardly convenient, particularly as we don't know for sure if the issue Is actually with that.