please upgrade the RouterOS to v6.14 and try out the wireless-fp package.
Also we would recommend to reset the wireless configuration and reconfigure only the settings you need.

This is crazy. I have upgraded to 6.15 and this bug still exists. I cannot connect with an android device, even when i put the MAC address in the access list.

It just started happening with v 6.13 and now it cannot connect.

Mikrotik, i have followed this thread and it has gone on for about six years. You really need to take this seriously, as it doesnt appear that you have.

I have other wireless issues with Mikrotik and now this!

RESOLVED:

In our case, we were using MAC Address as Username and at the radreply some MAC Addresses were in lowercase, and at radcheck the same MAC Addresses wer in Uppercase.

This difference made Radius not send a complete radius reply message, so MK disconnected and then reject and banned those MAC Addresses.

We've solved this problem after migrating from MySQL to PostgreSQL. Apparently our MySQL was not differentiating lowercase from uppercase.

I hope this may help you.

we are talking of simple AP<-->Client connectivity. its nothing to do with databases etc.

i am now on 6.15 and still the same problem. using AES as security standard.

SXT is the AP and around 20 Windows desktops and laptops. even the ping gives a "Request time out" after every 10 to 15 pings.

ok...now i have tried increasing the Group Key Exchange Timeout to ' 01:00:00 '

don't know how much will this help but atleast it has stopped disconnecting frequently....

.

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Well - Why do you see this about 90% more often With random Devices Connected - and never mikrotik - mikrotik? This is related to encryption in ros - and random Device connecting. Solution - Turn off encryption or change to WEP (at least better) Also old 4.17 have less issues than 5.x and 6.x. Signal might trigger some - But this is also seen in good signal enviroments.

Set Band to B/G only

SOLVED:

The problem just about with NTP.
Make all devices NTP client address same and lean back.

SOLVED:

The problem just about with NTP.
Make all devices NTP client address same and lean back.

how do you do that with Windows clients connecting to RB-SXT

somebody from Mikrotik please address this... as this issue is still existing and causing me loose clients....

lost almost 3 till now... i would appreciate if Mikrotik could give a firm solution at earliest...

all devices running ROS Ver 6.27

I have a RB2011-UiAS-2HnD @ ROS 6.31.
It is 2 wireless interfaces configured: wlan1 (real one) and VirtualAP (for guests), both WPA2-PSK with AES. All things was OK until yesterday, when I've decided to add ACL MAC authentication for the main AP. After that it is became impossible to connect from any guest devices, including those ones who works earlier flawlessly. "...unicast key exchange timeout..." starts to appear in the Log.
I've checked a lots of things, including mentioned earlier in this thread, but without success.
But is seems that I've found workaround (at least for my case)!
Password for the VirtualAP was like "XXXX-XXXX", i.e. contained "-" sign. When I've changed password to just "XXXXXXXX" bug mysteriously disappeared. I've checked several times switching keys back and forth between "XXXX-XXXX" and "XXXXXXXX" , and it seems that at least in my case "-" is the source of the problem.
Interestingly, that the key for the wlan1 (real one) remains with a lots of special symbols (including "-") and works well.

I had 951G-2HnD running on ROS v6.31 when wifi suddenly stopped working on all devices - Android phones + Panasonic TV with following records in log:
I did upgrade to v6.33, stop NPT completely, etc. and nothing helped. Then I just re-typed my pre-shared key and devices were able to authenticate.

It is weird as everything was working fine and then suddenly devices were not able to authenticate. It looked like the key was suddenly lost because I was not able to show it when I unchecked "Hide Passwords" check box in winbox. Once I re-typed the key and devices were able to connect I was also able to see the key with unchecked "Hide Passwords" option.

i am harassed by that problem everyday and no help from Mikrotik till date...

Is there any solution for this ???

Try to disable management protection if enabled and set group key update interval to 1hour. Use wpa2 psk aes only. Then check if it is better. If not check the link quality with problematic client.

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)

this happens without DHCP too.... so there is no actual way out....

I had 951G-2HnD running on ROS v6.31 when wifi suddenly stopped working on all devices - Android phones + Panasonic TV with following records in log:

Code: Select all

Sep/05/2015 14:16:35 wireless,info ...@wlan1: connected
Sep/05/2015 14:16:40 wireless,info ...@wlan1: disconnected, unicast key exchange timeout

I did upgrade to v6.33, stop NPT completely, etc. and nothing helped. Then I just re-typed my pre-shared key and devices were able to authenticate.

It is weird as everything was working fine and then suddenly devices were not able to authenticate. It looked like the key was suddenly lost because I was not able to show it when I unchecked "Hide Passwords" check box in winbox. Once I re-typed the key and devices were able to connect I was also able to see the key with unchecked "Hide Passwords" option.

happened to me six months ago, but not any more im on 6.30.4

Same happening for me with mobile devices connected to RB2011UiAS-2HnD-IN ( ROS v. 6.33rc30 )

Are there any workarounds for this?

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)

this happens without DHCP too.... so there is no actual way out....

Ok it seems latest version brought it back.... i don't know what to do now.

This happened to me today with an antenna running 6.31.

Since 6.31 has the password bug (where it literally changes passwords to asterisks) I had to change my password on the AP to "**********" let the client connect, do the upgrade to 6.33 and only then change the passwords back.

Just in case this happens to someone else...

I want to mention this send death, happens just on iphone (2 iphone 5s with different IOS versions and 1 iphone 4 with lower version of IOS). The thing is that it happens a lot more on the never iphones than on the older.

I have connected other devices with android, ps4 wi-fi laptops, and it doesn't happen.


If someone has another idea what else we can do.

Please help

I'm sorry that i'm spamming, but what should we do ? (everyday i'm looking and its at least 5-6 people that are watching this topic)
Open a ticket to support ?



LE: seems 6.33.1 fixed the issue.

Since 6.33.1 I have lost wpa2 capability. Devices affected are GrooveA 5HPn, SXT G-2HnD and RB2011UiAS-2HnD-IN.
When establishing wpa2 connection, AP log says "unicast keys exchange timeout", then connection drops.
If connection is set unencrypted, everything works ok. I have also tried PTP bridge configuration, but no luck.
I also have tried to downgrade to earlier versions of routeros, but wpa2 still does not work (???).

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.

i still have not figured out how to solve the problem. i am not able to sell any more AP due to this issue.

can anyone from Mikrotik seriously look into this.

This age of this issue is 5 years! Is there no response from MikroTik?

the only solution is to put all **** for password???!! Mikrotik, WTF??? I mean, seriously??

the only solution is to put all **** for password???!! Mikrotik, WTF??? I mean, seriously??

really????

I confirm this problem too. I get this problem if I use wireless-fp-xxxx-mipsbe.npk or wireless-cm2-xxxx-mipsbe.npk packages in any wireless ap mode (b, b/g, b/g/n). If I use package wireless-xxxx-mipsbe.npk only in b/g ap mode then wpa/wpa2 working fine without any "Unicast key exchange timeout" error. I think problem in these packages wireless-fp-xxxx-mipsbe.npk, wireless-cm2-xxxx-mipsbe.npk. Mikrotik team do you have any comments about my theory?

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.

I have the same problem with hAP ac which I installed just few days ago. It's happening only on the 2.4GHz wlan, 5GHz wlan is working fine. I had hAP lite before on the same place with the same configuration and clients. It was working fine without this issue.

The issue seems to have flared up since the last update and I am wondering why is Mikrotik so damn quiet on this still??

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.

I have the same problem with hAP ac which I installed just few days ago. It's happening only on the 2.4GHz wlan, 5GHz wlan is working fine. I had hAP lite before on the same place with the same configuration and clients. It was working fine without this issue.

I tried couple of changes in configuration of hAP ac and I think I found a workaround. If I disable wireless-cm2 package and enable wireless-fp instead everything seems to work fine. I'm running RouterOS 6.34.2. I'm not completely sure if this can be related but so far it looks good. I'll report results after few days.

Update 02/03/2016: I upgraded to the latest 6.35rc15 RC version of RouterOS and switched to wireless-rep driver. It still happens from time to time but it's much better than with RouterOS 6.34.2. It seems that the problem is probably caused by worser sensitivity of the 2.4GHz radio in hAP ac in comparison with hAP lite. Also I can't say for sure that upgrade fixed the issue or there was some strong interference during the time I was running RouterOS 6.34.2.

On a RB411 with 6.34.2 I get this error (unicast key exchange timeout) with a Microsoft Lumia 650 and a Microsoft Surface Pro 3.
This started happening after I switched to the wireless-cm2 package and after a big Windows 10 update. So it's unclear if this has to do with RouterOS or with Windows 10.
It usually happens when the phone or the tablet wakes from sleep. The tablet restores the connection after a while, but the phone never restores the connection. Only after a reboot it will work again.
It only happens with the Windows 10 devices, no problems with iOS or Android.

Does anyone else experience this error?

i am really bothered about this problem... it's started cropping up very very very frequently now....

just before this post all the 15 computers connected to the RB-SXT2 were disconnected and now had to be manually connected.

sent a SUPOUT file to Mikrotik but they have not bothered to reply... it's been almost more than a month.

Has anyone tried changing to 5Ghz to see if the issues still occur there? It maybe interference.

This bug make me crazy...
Maybe problem can be too many wireless clients around router...so I tried to put freq which are less used...but without hope, tried all versions of RouterOS - no hope, tried to change encryption from WPA2-AES to WPA-TKIP - no hope, tried to remove MAC filtering - no hope, tried with NTP changes - no hope...
There are many firmware updates, but there is still no fix for this killing-bug. Do someone from Mikrotik support guys reading this 6y old topic???

How can we contact support officially about this problem?

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.

2.4Ghz or on the 5Ghz channels?

i want to report 6 months without the issue on rb951g and rb951ui actually i am on ros 6.34 and wireless-fp and cm2 packages

Hello,

I also have the same problem...it seems it started with the last upgrade (a few days ago).

I am connected to an AP, browsing the web and then suddenly I loose connection. I am using WPA2 AES, AP is 951G-2HnD. I tried solutions with copying default profile, reseting wireless configuration, lowering power, but the problem exists.

When I get disconnected I sometimes get the "Group key exchage timeout", but mostly "disconnected, received disassod: sending station leaving (8). With this SSID this is the only AP, so the notebook has nowhere to "switch".

Is this a bug or what Mikrotik? This thread is old, but the problem is still occuring. What now?

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.

2.4Ghz or on the 5Ghz channels?

Only on the 2.4Ghz Channel, the 5hgz is running in station mode

On 6.35.2 same error
F/W: 3.27
RouterBOARD 952Ui-5ac2nD

Hello Community,

i also got this Unicast key exchange timeout error about every 30 minutes and tried many things but finally found a SOLUTION, verified it, its also reproducible.

My Configuration:
3 WIFI-Devices (Laptop, Android Tablet, Smartphone) connecting sometimes to "WIFI-Network1" and sometimes to "WIFI-Network2"

i got this error on both Routerboards with all connected devices.

WIFI1: Routerboard:RB951G-2HnD, Firmware 3.33, installed Version: 6.35.2, wireless-fp Package
WIFI2: Routerboard 962UiGS-5HacT2HnT (hAP ac), Firmware 3.31, installed Version: 6.35.2, wireless-cm2 Package

Security Profile Settings on Both Routers: WPA2 PSK AES ONLY, Ciphers: aes ccm ONLY and different WPA2 Pre-Shared Keys, all other settings at Standard, no Connect List and no Access List in use.

WIFI-Config Routerboard:RB951G-2HnD:
ap bridge, Band: 2GHz-B/G/N, 2447 MHz, Channel Width: 20/40MHz Ce, no Radio Name, unique SSID hidden, all other settings Standard, ARP Enabled

WIFI-Config Routerboard 962UiGS-5HacT2HnT (hAP ac):
ap bridge, Band: 2GHz-only-N, 2452 MHz, Channel Width: 20/40MHz Ce, no Radio Name, unique SSID hidden, all other settings Standard, ARP Enabled


First i have to say that i exported the config from my RB951G and imported it to the hAP ac and noticed that the MAC-Addresses of all Interfaces also has been exported and imported into the new RouterBoard Config.

###############

1.So first check your Interfaces if you have a similar situation like me described above, reset the MAC Address, and maybe create a new Bridge Interface because this MAC cannot be resetted.

2. Then check your Packages
Open Winbox, go to System -> Packages -> Check Installation of wireless-cm2 Package/wireless-fp Package - sometimes this Update fails (for my RB951 for example 2 times), then download it manually from mikrotik website and install it again.

3. But the real solution for me was to change the Wireless INTERFACE Name, in my config both was only named "WLAN".
After this Change restart of the Wireless Interfaces is needed too.

Changing both names to an unique Interface Name solved the "Unicast key exchange timeout error" for me.

In this way i also changed all other Interface Names to unique ones.

Maybe this helps you out, try it
@Mikrotik: please check if this is a bug or feature

############Update: I made some Test just for the sake: ############
changed Frequency on both Routerboards to 2412 MHz

now i have a stable WIFI-Connection since 11 hours in fully crowded 2412 MHz Network with 8 other Stations near me and both Routerboards 20cm away from each other, 2 clients connected.

I also tried to reproduce this problem again, now after changing back both Interface names back to "WLAN" error no longer appeared, also stable Connection since 1 hour.

nothing helps. Worth PSK2 with aes

Do not are working some devices such as the Samsung tablet. In an open network, all devices are connected and working

Hi all

I'm adding my two cents to the issue as well. This is now July 31 of 2016.
Eight years of an ongoing issue! oh well.

I'm using ROS 6.36 on all devices involved.

Devices are in AP Bridge mode, same SSID, same AES WPA2 key
All set up by script so no typo's.

The devices connect and work great for a couple hours, then just they disconnect and won't reconnect without divine intervention.

This happens both in the field and in my home lab (aka the living room).


I'm trying a work around a good friend of mine suggested:

The master device should be AP-Bridge mode, but the nodes should be in WDS-Slave mode.
I don't know what the actual difference is between the two but.....

I have let this run and it seems to be stable as long as I don't touch anything. 

On the Master (which is connected to my modem): On the Node (which the computers usually connect to): You can see that the only difference between the two commands is the mode=

A couple Notes:

These are the settings I had to use to make it work.  Whenever I'm testing setups I like to mess around and break things
until I know what is actually needed and what is trivial. All these seem to be needed as of this posting. 
I may edit this post down the road as I learn more. Please feel free to contribute what you find.

On the master you can use a virtual-ap for the link, but on the node I had to use the main radio.
I can then add a virtual-ap on the node so that the laptops connect to a different ssid with a different wpa2 key

The security profile is just a standard wpa2 setup. Nothing special.

I'm using wds-mode=dynamic but you can use wds-mode=static if you know the mac addresses of the devices. 
I've played briefly with dynamic-mesh but didn't notice any difference.


6.36 appears to have introduced WPS and I'm not having it!!!!!
But in my case, none of my equipment has a button or is publicly accessible. 

Hope this helps.

Roy

Hi everyone!

Yeah, after years of using Mikrotik routers now I experience issue that I can't resolve.

We bought RB951G-2HnD router (ROS 6.33) and set up it with default configuration. It worked good (with some rare drops) but suddenly WiFi started to drop connections more often. At first few times in a day and now it's so often that work is impossible. Sometimes it's about 5 times in 30 minutes.

Log shows - Unicast key exchange timeout, read all forum and tried countless suggested solutions but none of them works. Really want to throw router in a trash.
Is it possible that this is caused by large interference (~60 devices around)?

Configuration at the moment.

Update to latest stable and change the group key timeout from 5 minutes to 1hour. If you already have not tried it. Maybe it helps. Use wireless rep package.

change the group key update time from 5 minutes to 1 hour.

It's weird, but it helps WiFi password change. It is necessary to change the pattern of symbols in the password and use the symbol "#".
I use letters, numbers and "#".

Hello,

I have the same issue on a Mikrotik RB951G-2HnD ( FW 6.36.3 ) in a single AP home configuration .

All my devices can connect to the wireless network, except two host ( a raspberrypi running librelec and a alienware m11x R1 laptop ) even when they're roughly 3m far from the AP .
I've followed the tips in the previous posts ( changing the frequency \ security profile \ ... ) with no go .

Hello,

I have the same issue on a Mikrotik RB951G-2HnD ( FW 6.36.3 ) in a single AP home configuration .

All my devices can connect to the wireless network, except two host ( a raspberrypi running librelec and a alienware m11x R1 laptop ) even when they're roughly 3m far from the AP .
I've followed the tips in the previous posts ( changing the frequency \ security profile \ ... ) with no go .

Hi, I now resolved an issue with old laptop running Win10, which started refusing connection to my Mikrotik hAP ac (2,4GHz wifi), probably after modifiing Mikrotik's configuration. Restart of laptop didn't help. All other devices are connected without problem.

Mikrotik log when trying to connect this laptop:
13:21:25 ... wlan1: connected
13:21:30 ... wlan1: disconnected, unicast key exchange timeout
13:21:30 ... wlan1: connected
13:21:35 ... wlan1: disconnected, unicast key exchange timeout
13:22:03 ... wlan1: connected
13:22:08 ... wlan1: disconnected, recieved deauth: unspecified (1)

Resolution:
In Win10 changed WiFi configuration in Device manager -> WiFi adapter-> Properties -> Advanced (enabled WMM and mixed mode protection) = laptop connected to WiFi. Then I disabled both functions again, and WiFi connection is still working. Think, that would also help changing any other value - there was probably need to rewrite wifi settings only.

PavelJ

Same issue with WPA2 PSK and iphone
Try:
Disable WDS Mode
Check WDS Ignore SSID
Change Group Key Update to 30min

10:50:39 wireless,info 78:C3:E9:E6:7B:4A@neonmobile: connected
10:52:05 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:52:11 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:52:12 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:52:17 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:53:05 wireless,info EC:1F:72:BD:C3:E0@neonmobile: connected
10:53:10 wireless,info EC:1F:72:BD:C3:E0@neonmobile: disconnected, unicast key exchange timeout
10:53:26 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:53:31 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:53:43 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:53:48 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout

What need to do?

I had the same problem on a raspberry pi with a certain wifi usb adapter,
when i change the for other types, the worked, so i assume for me it's something
in the driver (r8712u) which doesn't work well with Mikrotik.
I did not have these problems on my previous access point (different brand).

I had the same issue ("disconnected, unicast key exchange timeout") on ROS 38.5. I fixed it with decreasing HW-retries parameter to 4.
Maybe it wil help somebody)

till date i am faced with this draconian issue of Unicast timeout disconnecting all the clients on the wireless network.... the frequency is far too much to handle. clients are just chucking out the systems...

wonder if i should continue to sell mikrotik wifi products....

Hi!

I had that problem, too, yesterday.

The reason was a short WPA2-key. Changing it to a longer key solved the problem for me.

Regards,
Stril

Stril - What was the length of original key? Minimums key length is 8 symbols and key length should not affect this (exchange timeout) in any way.

The same issue appeared in my Routerboard 2011 RB after upgrading to RouterOS v6.40.4 (stable).
Don't know if it is related, but I haven't noticed it in the logs before.

Have the same today when trying connect RaspberryPi3 with Windows 10 IoT :/

aAP ac, 6.40.4

Anyone know solution for this ?

Hello,

Also seeing this on a wAP-2nD-r2 that was working just fine on 6.40.4, upgraded to 6.40.5 and now have this: Client is a Tesla Model S (!), AP is a wAP-2nD-r2. Rock solid until this point, and even downgrading to the (previously working) 6.40.4 hasn't fixed it. Car is on firmware revision 2017.42.a88c8d5 and hasn't changed in the last couple of weeks, and neither has the config in the wAP... Very odd...

EDIT: Did upgrade the Routerboard's firmware at that stage also from 3.27 -> 3.41 - not sure if that is in any way related...

Today I tried my newly purchased router.
I experienced the same issue.

What solved problem for me was changing WiFi password to 18 characters.
Once that worked I tried to WiFi password with 20 characters and problem started again.
After that changed password to 18 characters and it was all good again.

I use longer than that wifi passwords without any kind of problems.

Same problem: ROS 6.40.5, Cap Lite - Apple TV. Mikrotik, WHEN WILL YOU SOLVE THIS PROBLEM?!

i think the issue is related with the use of symbols (different from letter and numbers) in psk, i only use numbers and letters and no problem in years

I came across this issue a wee while back. Problem was a single Android mobile phone kept generating this error on a Mikrotik AP while other devices were fine. Cause was another Mikrotik connected to the AP but with a very low signal.

Hello guys,

for delete this error I put only AES for crypt and delete TKIP, with this setting error disappear...

Hope this help someone

Hi Guys!

My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.

Hope it works for you

Regards

Oliver

that's a discovery... let me try it too!

Hi Guys!

My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.

Hope it works for you

Regards

Oliver

Created an account just to say that this also worked for me.
I just replaced my previous Tenda AC router with a MikroTik and used my previous SSID and WPA key.
All devices connected seamlessly to the new router except my Google home Minis, which would only function on the 2.4GHz band, where they used 5GHz on the Tenda.
Changed the channel width on wlan2 from "20/40/80MHz Ceee" to "20/40/80MHz eeeC" and they connected immediately during setup.
Haven't seen "unicast key exchange timeout" in the logs since. Hopefully I'll have no further updates to post regarding this issue and that this may resolve this problem for some of you as well.

It's March 2022!
I can't believe that Mikrotik devs still haven't addressed this issue. I lost an entire day because of this, trying EVERY POSSIBLE solution people here posted for 6+ years! NOTHING!

I have a problem connecting a TP-LINK WA850RE (v7) to my Mikrotik wifi. I tried every option in Winbox on both security profile and wifi configuration even DHCP etc.
I tried connecting the repeater to a few other routers and it works. Only Mikrotik noooopeeeeeeeee.

I also updated routerOS to the latest 7.1.1 stable from 6.46.6 and also tried 6.49.4 in the process. Nope. Cleared the settings, tried setting it up from scratch... nope. This is a pity.

I have finaly given up. I decided that I will not lose my mind over something even a 15$ Chinese router is able to do. But not Mikrotik. Connect with a device.

Unfortunately I am suffering on the same issue. I thought this thread is dead, so I created an own description here:

viewtopic.php?t=183808&sid=8c5c2a8fd6b4 ... c0b5ba8801

1) sync times between station and access point
2) switches between Auth Modes and Encryption Standards: AES CCMP / TKIP etc.
3) modfied group key interval to 01:00:00 / one hour
4) changed channel width between 20mhz and 20mhz - 40mhz
5) fixed channel
6) changed PSK in size and char variation (somewhat freaky)
7) installed three different os versions / versions of kernel modules

I have ROS 7.1.2 on MikroTik rb4011igs+5hacq2hnd-in.

Problem Adapter is a: RTL8191SU 802.11n WLAN with r8712u.

I also invested many many hours - I can not change anything - I really like my MikroTik setup but these systems (5) are important for me. Maybe I have to got back to Turris on the weekend (but actually I don't want).

hi everyone, I have managed to solve it only by returning to the factory firmware version - downgrade
... and key cannot contain special characters

Same, here. Problem between three routerboards, in WDS mode. Tried dynamic and static WDS, tried changing passwrds, changing ssid name, changing frequencies, all 20/40 combinations. There are no other APs nearby, so inteferences are not a problem. Reset all routerboards to factory default. Updated all routerboards to 6.49.6(stable). (hap lite rb941, rb951 and rb751). RB951 configured as main router with internet access, and DHCP server enabled,other two routerboard configured as ap bridge, I tried wds slave mode also. The connection lasts for about 5min, then it gets disconnected, with unicast key exchange timeout message in log.

on my side, this bug appeared when one RB used an user-created security profile and the other edited default security profile...
the fix was to not mix default and user-created security profile on RB, so both on edited-default security profile or either both on user-created security profile...

This thread has now been going for 14 years with very limited response from Mikrotik. I have been getting this issue also across a wireless link between 2 Mikrotik devices. The problem is fairly random so I think a lot of the proposed solutions might not work. From what I understand the 2 devices exchange a new encryption key every 5 mins by default and if that process fails for some reason then it will drop the connection. I have a suspicion this could be CPU related because it was a lot worse on an older slower device. If this is just key exchange timeout couldn't they just retry for longer? Waiting an extra 10 seconds to update the key surely isn't the end of the world.

Just to add to the potential solutions I have seen. I've listed anything I've seen even if they didn't work for me.
- Set adaptive noise immunity to ap and client mode
- Pick a clear channel
- Use 20MHz channel width
- Increase disconnect timeout (this was in Mikrotik docs for WDS but they didn't say to what)
- Don't run VLANs over WDS
- use a faster device

And to sum up every solution I've read in this thread, to save people reading the entire thread:
- enable NTP
- copy default security profile, then edit. Don't make new profiles
- only numbers and letters in pre-shared key
- retype pre-shared key
- make sure unique mac addresses
- unique names for wlan interfaces + restart
- change the group key timeout from 5 minutes to 1hour
- I fixed it with decreasing HW-retries parameter to 4
- The reason was a short WPA2-key. Changing it to a longer key solved the problem for me.
- What solved problem for me was changing WiFi password to 18 characters. (I saw multiple mentions of this)
- for delete this error I put only AES for crypt and delete TKIP
- My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.
- on my side, this bug appeared when one RB used an user-created security profile and the other edited default security profile...

Stril - What was the length of original key? Minimums key length is 8 symbols and key length should not affect this (exchange timeout) in any way.

Mikrotik staff need to have a good look into this. I can 100% demonstrate it's a bug and not interference. For my device I had some mildly more complicated config, still only 1 page though when exported. This was giving me the error every few hours with a dropout. I did a blank config wipe and set the device up with absolutely minimal config. In my case I was using station bridge mode to another mikrotik, so it's quite minimal the number of connections. This 100% solved the problem and the connection has been rock solid overnight with absolutely zero entries added to the log. The links down counter for the wireless link has stayed flat on 0. Note that in either case the number of connections was minimal as this is a test environment. I realise this error can happen as a normal part of operation, but it most definitely also happens as part of a bug. The fact I can get a rock solid connection with some config demonstrates this is NOT an issue with interference.

Some additional info
- I only changed config on the station bridge side, config on the AP side is still the same.
- The mikrotiks have been given channel 6, all other APs have been moved to 1 and 11. I have no APs from neighbors
- I rebooted both devices after applying config and before running the test
- The device has literally not added a single log entry after the logs from the reboot

I've worked out what is causing this, in my case at least. I can 100% eliminate it and 100% reproduce it. I have 1 mikrotik providing the usual wifi/internet/dhcp etc and a second mikrotik as a wifi extender. The extender is using station bridge to the first AP and then I create a virtual AP on top of that with the same name as the first. Having clients connect to the second AP is what causes the problem. I presume it's just busy talking to the client when the key exchange request comes in and the key exchange times out. If I connect the clients to the second AP with a cable then the problem goes away 100% and the connection shows 0 drops over a 24 hr period. I have used it for work like this and been in Teams meetings and it works fine. With wireless clients connected it will give the key exchange error every few hours and drops out for short periods.

The solution unfortunately seems to be to use a second radio or second device for the wireless bridge. I presume mikrotik know about this which is why their Audience router has 3 radios. Mikrotik staff, can we have a fix for this? It seems more retries in some form would solve the problem. The link itself seems to be fine, it appears the key exchange timeout happens and then mikrotik drops the link. Or if this is a problem that is impossible to solve it would be nice to know. I have a third mikrotik I can use however this is running on solar/batteries so that would double my power usage.

in my case (im using RB4011iGS+RM), it was caused by using the same channel. im on channel 11, and my neighbor suddenly changed to the same channel. then it started this "unicast key exchange timeout" issue. once his device moved to another channel, this issue was also gone.

UPDATE October 2023:

In my case, the problem was with TP LINK TL-WA850RE extender - with introduction of WPA3 support on it. It just couldn't connect to the Mikrotik because of errors. I bet it had something to do with standard wifi package, a bug of some sort related to the new WPA3 standard.

I didn't manage to solve it until one of the new versions of RouterOS came out.
At the time I was having issues with 7.1.1, but upgrading the router to a newer one, i can't really remember which one (just upgrade to the newest, at the point of writing this - 7.11.2) the problem was solved.

Another possible solution now in Oct 2023 is to use the newer "wifiwave2" wireless management package instead of the classic one if possible, it has proper WPA3 support but it is not needed.

However, do note that TP LINK TL-WA850RE range extender is a BAD one, and should be avoided because of its buggy firmware updates. The newest TP LINK firmware (TL-WA850RE(EU)_V7_1.0.12 Build 221109 released on 2023-02-07) introduced an entirely new problem - its DHCP server somehow messes with Mikrotik's, even when Authoritative mode is set, so devices in Mikrotik network often connect to the network, but fail to get a valid IP from Mikrotik's DHCP Server. Which is ridiculous really, so if you want to use that specific extender device, please use it with the oldest factory shipped firmware, DO NOT UPGRADE, because of some cheap reason TP LINK doesn't let you downgrade.

The permanent fix for issues introduces to Mikrotik network is to just throw TP LINK TL-WA850RE in the garbage.