Community discussions

 
User avatar
macsrwe
Long time Member
Long time Member
Topic Author
Posts: 647
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

What isn't matching??

Fri Mar 09, 2012 4:58 am

I have this problem often… :-(

When debugging a brand new configuration, often MT in station mode sees the right AP but refuses to connect to it. I get messages of the form:
00:0C:42:D0:68:55: on 2412 AP: yes SSID Good1 caps 0x431 rates 0xff0f basic 0xf MT: yes 
00:0C:42:D8:A6:28: on 2422 AP: yes SSID Other1 caps 0x431 rates 0xff0f basic 0xf MT: yes 
00:0C:42:D0:B3:B7: on 2437 AP: yes SSID Good2 caps 0x431 rates 0xff0f basic 0xf MT: yes 
00:1D:6A:B8:1D:F7: on 2452 AP: yes SSID Other2 caps 0x31 rates 0xff0f basic 0xf MT: no 
00:0C:42:E4:65:21: on 2452 AP: yes SSID Other3 caps 0x421 rates 0xff0f basic 0xf MT: yes 
wlan1-gateway: no network that satisfies connect-list,  by default do not connect 
wlan1-gateway: failed to select network 
wlan1-gateway: delaying scanning 
However, if I turn on "default authenticate," I get the same first five messages followed by
wlan1-gateway: no network that satisfies connect-list,  by default choose with strongest signal 
00:0C:42:D0:B3:B7@wlan1-gateway established connection on 2437, SSID Good1
and everything works.

Obviously, there is some parameter in the interface, connect-list, or security-profile that doesn't match between the station and the AP. Furthermore, the mismatch is obviously trivial, as the connection works fine once it is made.

Here's my question: Is there any way to find out from the MT what that parameter is instead of staring endlessly at screens on both devices (which has never worked well and still doesn't)? It sure would be helpful if it would log one additional line for each rejected AP saying "rejected because xyz was incompatible."

I suppose I should provide some real configuration examples...

On the CPE:

int wire ; print detail
Flags: X - disabled, R - running 
 0  R name="wlan1-gateway" mtu=1500 mac-address=00:0C:42:E0:E7:81 arp=enabled interface-type=Atheros 11N mode=station ssid="Call-623-640-7883(MT-E)" 
      frequency=2437 band=2ghz-b/g/n channel-width=20mhz scan-list=default wireless-protocol=any wds-mode=disabled wds-default-bridge=none 
      wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 
      hide-ssid=no security-profile=GABB compression=no 

secur print detail

Flags: * - default 
  1   name="GABB" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk unicast-ciphers=tkip,aes-ccm group-ciphers=tkip 
     wpa-pre-shared-key="password" wpa2-pre-shared-key="password" supplicant-identity="" eap-methods="" tls-mode=no-certificates 
     tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none 
     static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no 
     radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username 
     radius-mac-caching=disabled group-key-update=5m management-protection=allowed management-protection-key="whatever" 
[/size]
On the AP:

int wire ; print detail
Flags: X - disabled, R - running 
 0  R name="AP-East" mtu=1500 mac-address=00:0C:42:D0:B3:B7 arp=enabled interface-type=Atheros 11N mode=ap-bridge 
      ssid="Call-623-640-7883(MT-E)" frequency=2437 band=2ghz-b/g/n channel-width=20mhz scan-list=default wireless-protocol=any 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes 
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=GABB compression=no 

secur print detail

Flags: * - default 
 1   name="GABB" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk unicast-ciphers=tkip,aes-ccm group-ciphers=tkip 
     wpa-pre-shared-key="password" wpa2-pre-shared-key="password" supplicant-identity="" eap-methods="" 
     tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" 
     static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none 
     static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s 
     radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m 
     management-protection=allowed management-protection-key="whatever" 
[/size]
Am I missing some other menu that also has to match? There aren't any connect lists.
 
airock
newbie
Posts: 29
Joined: Fri Oct 09, 2009 11:57 pm

Re: What isn't matching??

Sun Mar 11, 2012 11:51 pm

Everything is working as expected.

If you turn off "default authentication" (on the AP and/or on the station) then you have to provide proper access-list (on the AP) and/or connect-list (on the station): in other words, you're telling RouterOS to NOT establish a connection by default, and to only permit what is explicitly allowed by a proper list entry.

The error message from the log is crystal clear. The RouterOS manual too.

May be you did not carefully read them both.
"Entia non sunt multiplicanda praeter necessitatem."

If you find anything useful in this this post, please give a positive Karma. (more info about Karma)
 
User avatar
macsrwe
Long time Member
Long time Member
Topic Author
Posts: 647
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: What isn't matching??

Mon Mar 12, 2012 1:48 am

I disagree with your (unnecessarily snide) analysis. Here is the manual entry:

default-authentication (yes | no; Default: yes)	For AP mode, this is the value of authentication for clients that do not match any entry in the access-list. For station mode, this is the value of connect for APs that do not match any entry in the connect-list
[/size]
On the AP, default-authentication is on and always has been, so that side is not at issue.

On the station side, it is my belief that the AP entirely matches the connection parameters provided at the station -- yet the station will not connect with default-authentication off, and the error message specifically says "no network... satisfies connect-list."

When I turn default-authentication on, the message says, "no network that satisfies connect-list, by default choose with strongest signal." This is not behavior I want. I don't want to grope around by signal strength, I want to connect directly to the one with the SSID and security key I specified.

What I don't understand is why the station side claims no AP satisfies the connection parameters when both the wireless and security parameters on both sides are identical to the eye. Is there some other menu in which I should be looking to find a mismatch? (Again, it would be a lot easier if the MT would bother to mention which parameter is triggering the mismatch complaint.)
 
airock
newbie
Posts: 29
Joined: Fri Oct 09, 2009 11:57 pm

Re: What isn't matching??

Mon Mar 12, 2012 3:53 pm

Ok, let's start from the beginning.

In your description of the problem (your first message) when you say if I turn on "default authenticate" you DO NOT specify if you are referring to the AP or to the STATION. And the configurations you posted do not help as in both of them i see "default-authentication=yes". That's why I briefly described the general behaviour of "default authentication" for both AP & STATION.

Then (in your second message) you say that On the AP, default-authentication is on and always has been, so that side is not at issue. Nice to know: NOW (let me repeat: NOW) I can confirm you that the AP side is not at issue. So move to the station side.

Well, notwithstanding what I clearly said (that is exactly what the manual says, as you diligently quoted) you STILL expect your station to connect with "default-authentication=no" and an empty connect-list. Mmmm... tell me that I'm snide but the logic suggests that the problem is not me nor the manual.

So let's read together what the manual says:
For station mode, this (the value of "default-authentication" - ndr) is the value of connect for APs that do not match any entry in the connect-list.
Translation:
if you set "default-autentication=no" the effect is the same as matching an entry into the connect-list with "connect=no", (unless a previous entry is matched, in which case the corresponding "connect" value is taken in account)

That's what exactly the manual says: I really don't know how to explain it better than this.

So: if you DO NOT create any entry in the connect-list you MUST set "default-authentication=yes". As I already told you.

And, as you verified, by setting the station this way the connection is established. There are no mismatching parameters to look for, if there were some the station would not connect. Period.

About the final point:
why the station side claims no AP satisfies the connection parameters when both the wireless and security parameters on both sides are identical to the eye
NOT TRUE. What the station actually says is:

no network that satisfies connect-list, (...)

CORRECT: the are no networks that satisfy the connect-list, as the connect-list is empty.

(...) by default choose with strongest signal

CORRECT: the only thing your station can do is to try to connect to anything accepting your security parameters, and it tells you it will choose the strongest signal.

Again, read carefully. Here the key is the word NETWORK.

You are confusing NETWORK with AP.

There might be more than 1 AP into a network (i.e. several APs with the same SSID). By specifying the SSID into the interface settings you restrict the access to ALL the APs within the same network (SSID), not to a particular AP. YOU know that there is only a SINGLE AP with that network name. The station doesn't know. So it does the best it can: choose the AP with the given SSID and the strongest signal.

You are confused because you want to establish a connection with a specific AP, but actually with your configuration you are just selecting a NETWORK.

If you want to connect to a specific AP... guess what? Define a proper entry into the connect-list. As I already said.

In the end, there is nothing in this last post of mine that I didn't already say in my previous one, and nothing was wrong in it... Well, not true: actually I made a mistake, so there is something I have to correct:
The error message from the log is crystal clear. The RouterOS manual too.

May be you did not carefully read them both.
Replace with:

The error message from the log is crystal clear. The RouterOS manual too.

You DID NOT carefully read them both.

Snidely,
rock
"Entia non sunt multiplicanda praeter necessitatem."

If you find anything useful in this this post, please give a positive Karma. (more info about Karma)
 
bpwl
just joined
Posts: 18
Joined: Mon Apr 08, 2019 1:16 am

Re: What isn't matching??

Mon Aug 12, 2019 1:53 am

We still have this error message all the time (6.45.3) and we still don't understand why.

After searching bit-by-bit what the mismatch could be in my connect-list I finally gave up, and started doing a lot of reading in the forum.

The answer of "airock" is NOT very helpfull. Don't blame us as not reading the manual or not reading the error message. We just don't get it.
And we are still looking where that mismatch could be hidden.

So my conclusion so far is that the debug message "no network that satisfies connect-list, by default choose with strongest signal " is not what we understand it is, namely that there is something wrong in the entries of the connect list, and that RouterOS therefore did not find any match, because no network satisfies the connect-list.

I now assume thet the message means that the default authentication is set, and that therefore IF there is no network seen that satisfies the connect-list, THEN by default the AP with the strongest signal for that request will be choosen. This in contrast with the message :"no network that satisfies connect-list, by default do not connect " which comes when the default authenrication is off.

The confusion comes from the fact that if we do set something in the connect-list , even with the "copy to connect-list" button , the message "no network that satisfies connect-list, by default choose with strongest signal" still comes and looks as an error messgae telling us that ....." there is ... no network that satisfies connect-list", so we did something wrong in that list, and we start looking "What isn't matching?".

I think now, that there is just nothing wrong in that list when that debug message appears. It appears with that background scan every 5 minutes. An operation that seems to be responsible for quite some disconnects in the WDS scenarios.to my experience so far.
 
bpwl
just joined
Posts: 18
Joined: Mon Apr 08, 2019 1:16 am

Re: What isn't matching??

Wed Aug 21, 2019 11:51 pm

About that background scan that triggers every 5 minutes, and is the cause of some disconnects due to "no beacon received" during that scan, I wonder what this will bring me, in an attempt to STOP the 5 minute background scan from happening, as the PtP connection is very static (there is no other AP, and things are not moving) .....
"interface wireless set station-roaming=disabled"

Who is online

Users browsing this forum: No registered users and 25 guests