Please give me a hint to pinpoint problem

Using this mode:


Mikrotik2.9.39 -AP bridge, 2.4GHz, WPA2 security profile, group cipher aes ccm, unicast cipher aes ccm, PSK.
Runs on RB532, AP card atheros CM10


Clients: ovislink 5460, Straightcore WRT-311, WRT-312, 7 different units at time.(different firmwares, locations....)

Everytime when clients are about to make PSK change they got dissasociated and then reassociated, causing traffic drop out for a while.
No matter if keychange inteval is 1 min or 60 min which is obviously maximum.
No matter what version RouterOS drives AP,no matter what key lenght used...)

I'm able to reproduce the same syptoms on my "desk laboratory" with RB112 and any client immediately

What I've tryied till now:
different AP HW, different RouterOS versions, different clients

for example keychange interval is set for 2 minute here
>debug log

00:19:08 wireless,debug wlan1: 00:12:0E:34:33:BA attempts to connect
00:19:08 wireless,debug wlan1: 00:12:0E:34:33:BA in local ACL, accept
00:19:08 wireless,info 00:12:0E:34:33:BA@wlan1: connected
00:21:08 wireless,info 00:12:0E:34:33:BA@wlan1: disconnected, decided to
deauth: group key handshake timeout (16)
00:21:08 wireless,debug wlan1: 00:12:0E:34:33:BA attempts to connect
00:21:08 wireless,debug wlan1: 00:12:0E:34:33:BA in local ACL, accept
00:21:08 wireless,info 00:12:0E:34:33:BA@wlan1: connected
00:23:08 wireless,info 00:12:0E:34:33:BA@wlan1: disconnected, decided to
deauth: group key handshake timeout (16)
00:23:09 wireless,debug wlan1: 00:12:0E:34:33:BA attempts to connect
00:23:09 wireless,debug wlan1: 00:12:0E:34:33:BA in local ACL, accept
00:23:09 wireless,info 00:12:0E:34:33:BA@wlan1: connected
00:25:08 wireless,info 00:12:0E:34:33:BA@wlan1: disconnected, decided to
deauth: group key handshake timeout (16)
00:25:09 wireless,debug wlan1: 00:12:0E:34:33:BA attempts to connect
00:25:09 wireless,debug wlan1: 00:12:0E:34:33:BA in local ACL, accept
00:25:09 wireless,info 00:12:0E:34:33:BA@wlan1: connected



or is this normal and I have missed something?


thanks for any ideas

BTW I'm using the same WPA2 setting on Routerboard RB112/153/532HW @5GHz band with no problem for months...

Contact support with attached support output file.

Contact support with attached support output file.

More than month gone. Still looking forward for any answer from Mikrotik crew.
Is there something I could have done better to get an answer from support than sent support.rif with comments as I have already done?

Thanks

you should contact Ovislink about this issues, since we haven't heard any other reports from our customers that uses different equiment with such problems.

you should contact Ovislink about this issues, since we haven't heard any other reports from our customers that uses different equiment with such problems.

I have tryied units from 4 different manufacturers with the same result, so I don't expexct problem on this point.

I have consulted this symptom with head of straightcore firmware development which if friend of me for more than 15years, our common conclusion is problematic driver for radio chipsets in the boxes and their behavior (ralink...)and atheros compatibility issue.

To be honest with you, up to today, I havent found a client box with different WPA2 behavior yet. All tested units have the same problem as described above. Almost all units using RTL8181 and clone chipset with completely different firmware.

OK, Let's reformulate question>
DOES ANYBODY USE WPA2 PSK with AES CCM without any trouble on client boxes which arent runing RouterOS???

Please notice client box and if possible its chipset

Thanks for any responses

I had the same problem with Minitar AP based on Realtek 8186 chipset (working as client with Linksys WRT54GS) so it is probably related to the Realtek chipset/driver (I used Edimax firmware).
But I noticed other problem with Mikrotik & SR2@WPA/WPA2 PSK AES and Ralink 2560 based client PCI cards. The throutput was horrible low and unstable, disconnects etc (no problem with Linksys WRT54GS @all). After switching to "no encryption" the problem disappeared. I though that it is Atheros issue but switching the same SR2 card to embedded linux platform with madwifi driver (OpenWRT) and WPA2-AES resulted with great performance (>3MB/s in lab test) with the same Ralink 2560 client cards.
So the problem is the Mikrotik atheros driver compatibility with other chipsets vendors WHEN USING WPA/WPA2 AES

We have the same WPA2 momentary-disassociation problem with Ezy.Net, OSBridge and HighGain Atheros-based clients.

The only ones that DO work properly are MikroTik 112s...

Something is wrong somewhere.

George

in the next release of the RouterOS we will have a fix (workaround) for WPA2 Realtek wireless clients.

Please be more specific infomation about WPA2 slowness on some chipsets.

in the next release of the RouterOS we will have a fix (workaround) for WPA2 Realtek wireless clients.

Please be more specific infomation about WPA2 slowness on some chipsets.

I'm using almost only atheros chipset based card on AP side, surpisingly WPA2 gives us better performance than 104bit WEP throughput (up to 10%). Links are point to point, atheros to atheros, routerOS to routerOS.

routerOS2.9.42 should have fixed that. Unfortunately problem still persist.

I'm seeing the same problem with a Senao client bridge (EOC-3220EXT). Every 5 minutes on the group key update, we get this error: So, something about the way that the group key handshake is done is not right.

I think I can work around this by turning off dynamic keys in the security profile, but then that makes WPA2 roughly equivalent to WEP, does it not?

Our AP is running 2.9.38. Is there a fix for this in later releases?

This seems to have been fixed in a software update somewhere between 2.9.38 and 2.9.45. I updated from 2.9.38 to 2.9.45 this morning, and it's now been a couple of hours without a single de-auth.