Community discussions

MUM Europe 2020
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

5.17 NV2 key exchange timeout

Mon Jun 11, 2012 7:05 pm

Over the weekend installed 5.17 mipsle on about 80 units. (No issues on misbe routers).
Some 6 of them developed now disconnections like I am back to the early days of NV2.... :( :(

All 802.11a MT R52 cards in routerboards and NV2 enabled.

Message in AP is "disconnected, key exchange timeout"
Message in CPE log is "lost connection, key exchange timeout"


All routers were previously running 5.14 or 5.15 with fw2.18 They are all 133C3 boards.

These units are all in a network that ran stable for months with high signal levels (most better than -40.)

I am trying to put 5.16 back on these but due the regular disconnects that's a pain. And some that stay up are not accessible for 5 or 10 minutes before it finally lets me in....

After the roll-back I will report what happened and if the problem than is gone again will report MT.

In the meantime would like to know if any body else occurred same issue?


Apart from these problamatic units, the rest of the network saw the average ping times go down from 40-60's to 5-20's! Amazing!
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3427
Joined: Mon May 31, 2004 2:55 pm

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 9:49 am

please send the support output files from your setup where you see this problem to support@mikrotik.com.
We need the information how to reproduce your problem.
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 12:23 pm

please send the support output files from your setup where you see this problem to support@mikrotik.com.
We need the information how to reproduce your problem.
well, if I only could...

Each unit (all 133C3 boards with R52 radio) that develops the problem becomes inaccessible. I took one home, and set it up again to AP (rb433AH running 5.17 with latest fw) and within 5 minutes disconnects started again.

In AP log it says: "key exchange timeout" or "control frame timeout"

I cannot log into the board, not by mac not by IP. (It is getting an IP on the wlan)
When I try to log into via ether1 (and mac, no dhcp-cl) I get the error: "unable to connect to xxxxxxxxxxx etc - timeout"

If I try to login via de AP it takes a long time before the winbox window is presented. If I than want to open any window the connection drops.

With other boards having the same issue I also cannot login. I get same kind of timeout errors in winbox loader, or in the logs I see "key exchange timeout" or "control frame timeout"

These boards had no issues before (v.5.14, 5.15 or 5.16)

It is also only a fraction of the total 133C3 boards. I have several that updated without any problems (so far) and that don't disconnect.


I also seem to find now that when I finally would manage to log in a board with the issue (sometimes after 30 mins of more I suddenly can log in) I find the timeserver client is not updating the clock. Settings are exactly the same as before and as other units that do update. In the log I could even see that before the update the time was set right, but now not any more......


Because I cannot log into the units any more, and when I can they never stay connected long enough, I can't downgrade as well. :(
I am not amused by this! I am forced now to change these boards by other units (mipsbe) which was not planned!
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 1:10 pm

Finally could log into the test unit. Opened the log and again "key exchange timeout" errors for the disconnects.
Also, after an hour, still no time update.

Seconds later the unit disconnected again, no more access... so not even got the change to make a supout.rif.
Guess have to wait another hour or so to try again...
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
sonny
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Jan 28, 2005 5:14 pm
Location: Germany
Contact:

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 4:02 pm

Hi Wirelessrudy,

try to sende the config of your units to MT, they can reproduce the failure with your specific config.

We updated about 3 units 133 to 5.17, got no issues AP is 5.16. But they are not secured by WPA.

Sonny
Karl Sonnleitner
Senior Wireless-Expert
Restlesspowerbox - managed powersupply for Routerboards
 
uldis
MikroTik Support
MikroTik Support
Posts: 3427
Joined: Mon May 31, 2004 2:55 pm

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 4:26 pm

if you can connect to one of those boards try to do 'export compact' in the wireless section.
Or tell us the configuration what you had on the wireless, so we could try to reproduce that problem.
Also what packages you have installed on that board?
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 6:19 pm

Ok, I am trying to do this in-between my other stuff I have to do. I already replaced 3 most urgend antennas to SXT's which with exactly the same config give no problems.

I could log into that unit I have now setup at my house, it was up and running now for almost 2 hours. But the moment I try to make a backup, or just to open a terminal screen in the winbox session, the unit disconnected. Both wireless as on the Ethernet port.

But some configs that I do know:
Board : 133C3
ROS : v5.17 (came from 5.14)
fw . 2.18 (already at 5.14
Packages loaded:
- dhcp
- ppp
- routerboard
- system
- wireless

Radio: R52

Boards are upgraded over the wireless link, like I always do.

CPE Config:
Wireless. Default power, NV2,nstreme,802.11 (where AP=NV2)
NV2 encryption set with password.
10km cell size (all units are within 1km anyway)
default auth. off
connect list with both the mac and SSID in two separate 'connect to' rules

CPE is routed, thus wlan receives IP + route as dhcp-cl and src-nat with masq enabled for the LAN
On the Ether1 runs a dhcp-server with normal /24 range.

AP config:
Default power from a R5H card, NV2 enabled with encryption and password.
10km cell size
default auth. off, clients accepted by access list mentioning.
Some 25+ clients in total.


Some remarks:
I noticed that when the first regularly disconnecting client was replaced by new SXT some other client that disconnected a lot also stabilized much more. Like they have an influence on each other. (Which they have off course, special in the NV2 routing of the AP)

I am still trying to get a supout.rif but so far no luck.
The given option to "export compact" in the wireless section? Is that in the terminal, because I don't see it in the winbox?
In the terminal, well no luck so far to get into a terminal session.
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Tue Jun 12, 2012 6:33 pm

OH, and when it comes to trying to reproduce the issue:

I have upgraded some 40 133C3's and so far only 5 or 6 give the problem. So you have to be lucky I guess, to hit the error :o
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Mon Jun 18, 2012 12:05 pm

I've got now ticket #2012061366000024 and ticket #2012061566000039 produced but no more news from MT.

I still have a handful of 133C3's that give the problem with the ros5.17
Actually I had 3 new ones developed the issue over the weekend. These units ran fine last week but started to disconnect over the weekend and became in-accessible.
Only a power cycle makes them usable again...

What I see on these failing units is:
- In the AP registration table where all 'last IP"'s are shown I usually see only the IP that is assigned to that particular CPE (because wlan of CPE is dhcp-client of the dhcp server in the AP)
Units that fails see continuously the IP's of the set dns servers and other IP's flying by. After power cycle this is gone and CPE shows own IP again...

- Units are registered with AP but are not accessible, or only after very long time, like 30 mins. Not by mac telnet/ping or winbox.

- If unit finally becomes accessible the crash the moment you open a terminal session, or ask for the installed packages list or I want to make a backup. A supout.rif also kills the connection immediately.

In the above instances the CPE usually stays registered in the AP, only the supout.rif command makes it disconnect completely.

Sometimes, after more than an hour or so the unit becomes available and works normally again... until it disconnects again...

fw is updated on all units.
signal levels are from -40 region to -75 depending on the effected units.
AP's have 25-40 units where all the other associated CPE's are stable running 5.17

I have so far one groove with the same issue. This one has -74 as average level so it might be the signal is a bit marginal. But this unit was stable with same signals before the upgrade to 5.17

My overall thinking is that 5.17 is yet again a version that takes more from the CPU than previous versions and special some 133C3's can't cope with it.
It looks this way MT is slowly facing 133C3's out because every upgrade I have a couple more that can't work with the upgrade version any longer......
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
Butchesky
just joined
Posts: 14
Joined: Wed Jun 27, 2012 11:03 pm

Re: 5.17 NV2 key exchange timeout

Wed Jun 27, 2012 11:54 pm

I have had same problem, with 'key exchange timeout'.
Worse, it was 'group key....' - all stations disconnects from base station.
It happens ONLY at WPA/TKIP encryption.

Working on disabled encryption or finally WPA2/EAP encryption solved this problem at my network.

Rgds
Butchesky
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: 5.17 NV2 key exchange timeout

Thu Jun 28, 2012 4:59 pm

I have had same problem, with 'key exchange timeout'.
Worse, it was 'group key....' - all stations disconnects from base station.
It happens ONLY at WPA/TKIP encryption.

Working on disabled encryption or finally WPA2/EAP encryption solved this problem at my network.

Rgds
Butchesky
So than this must be another type of problem, with only a similar result.
I only use NV2 with its own encryption so that's a different cake I think.
And a 'group key' error I have never seen...

But I still have some units disconnecting, and MT doesn't seem to care....
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
samsung172
Forum Guru
Forum Guru
Posts: 1186
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: 5.17 NV2 key exchange timeout

Thu Jun 28, 2012 11:40 pm

I dont know if realted to this post, but i have some kind of same issue at a 2.4ghz hotspot sone. Its 5 units, about 8 wireless interfaces, and about 150 clients (laptops, pda etc), when upgraded to 5.17, i got group key exchange timeout all the time, and a error at router, not been able to give out dhcp in 30% of all cases.
19:28:38 dhcp,info dhcp1 deassigned 10.48.0.184 from 28:E7:CF:B7:02:4F 
19:28:43 dhcp,warning dhcp1 offering lease 10.48.0.62 for 00:23:6C:4A:EF:E1 withou
t success 
19:28:46 dhcp,warning dhcp1 offering lease 10.48.1.57 for 14:7D:C5:4B:57:B8 withou
t success 
19:28:50 dhcp,info dhcp1 assigned 10.48.0.90 to 50:EA:D6:7E:D3:7C 
19:28:52 dhcp,info dhcp1 assigned 10.48.0.138 to E0:B9:BA:40:47:1F 
19:28:54 dhcp,warning dhcp1 offering lease 10.48.0.184 for 28:E7:CF:B7:02:4F witho
ut success 
19:28:54 dhcp,info dhcp1 deassigned 10.48.0.90 from 50:EA:D6:7E:D3:7C 
19:28:58 dhcp,info dhcp1 deassigned 10.48.0.138 from E0:B9:BA:40:47:1F 
19:29:04 dhcp,warning dhcp1 offering lease 10.48.0.38 for 78:D6:F0:AF:1B:CD withou
t success 
19:29:11 dhcp,warning dhcp1 offering lease 10.48.0.90 for 50:EA:D6:7E:D3:7C withou
t success 
19:29:19 dhcp,info dhcp1 deassigned 10.48.0.185 from 00:24:2C:24:48:D5 
19:29:20 dhcp,info dhcp1 deassigned 10.48.0.73 from 38:E7:D8:D8:2F:BE 
19:29:20 dhcp,info dhcp1 assigned 10.48.0.73 to 38:E7:D8:D8:2F:BE 
19:29:27 dhcp,warning dhcp1 offering lease 10.48.0.184 for 28:E7:CF:B7:02:4F witho
ut success 
19:29:35 dhcp,info dhcp1 assigned 10.48.0.184 to 28:E7:CF:B7:02:4F 
19:29:39 dhcp,info dhcp1 deassigned 10.48.0.184 from 28:E7:CF:B7:02:4F 
19:29:43 dhcp,info dhcp1 deassigned 10.48.1.46 from 00:22:43:6D:02:E4 
19:29:45 dhcp,warning dhcp1 offering lease 10.48.0.90 for 50:EA:D6:7E:D3:7C withou
t success 
19:29:51 dhcp,info dhcp1 assigned 10.48.0.90 to 50:EA:D6:7E:D3:7C 
19:29:54 dhcp,info dhcp1 assigned 10.48.1.46 to 00:22:43:6D:02:E4 
19:29:55 dhcp,info dhcp1 deassigned 10.48.0.134 from D8:B3:77:3C:60:40 
19:29:55 dhcp,info dhcp1 assigned 10.48.0.134 to D8:B3:77:3C:60:40 
19:29:56 dhcp,info dhcp1 deassigned 10.48.0.90 from 50:EA:D6:7E:D3:7C 
19:29:57 dhcp,info dhcp1 deassigned 10.48.1.46 from 00:22:43:6D:02:E4 
19:29:57 dhcp,warning dhcp1 offering lease 10.48.0.184 for 28:E7:CF:B7:02:4F witho
ut success 
19:30:17 dhcp,warning dhcp1 offering lease 10.48.1.57 for 14:7D:C5:4B:57:B8 withou
t success 
19:30:22 dhcp,warning dhcp1 offering lease 10.48.0.90 for 50:EA:D6:7E:D3:7C withou
t success 
19:30:30 dhcp,warning dhcp1 offering lease 10.48.0.184 for 28:E7:CF:B7:02:4F witho
ut success 
19:30:35 dhcp,info dhcp1 assigned 10.48.0.184 to 28:E7:CF:B7:02:4F 
19:30:42 dhcp,info dhcp1 deassigned 10.48.0.184 from 28:E7:CF:B7:02:4F 
19:30:51 dhcp,info dhcp1 assigned 10.48.0.90 to 50:EA:D6:7E:D3:7C 
19:30:55 system,info,account user admin logged in from 172.16.1.1 via winbox 
19:30:57 dhcp,info dhcp1 deassigned 10.48.0.90 from 50:EA:D6:7E:D3:7C 
19:30:59 dhcp,warning dhcp1 offering lease 10.48.0.184 for 28:E7:CF:B7:02:4F witho
ut success 
19:31:13 dhcp,info dhcp1 assigned 10.48.0.103 to 6C:C2:6B:94:49:A1 
19:31:14 dhcp,warning dhcp1 offering lease 10.48.0.90 for 50:EA:D6:7E:D3:7C withou
t success 
19:31:22 dhcp,info dhcp1 deassigned 10.48.0.103 from 6C:C2:6B:94:49:A1 
19:31:23 dhcp,warning dhcp1 offering lease 10.48.1.46 for 00:22:43:6D:02:E4 withou
t success 
19:31:23 dhcp,info dhcp1 assigned 10.48.1.46 to 00:22:43:6D:02:E4 
19:31:24 system,info,account user admin logged in from 172.16.1.1 via telnet
Downgraded all wireless units to 4.17, and all was ok.
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: 5.17 NV2 key exchange timeout

Fri Aug 16, 2013 12:41 am

Saw this a few times.

What I saw for me was that there was a typo in the NV2 Security Key.
(Actually it was an uppercase lowercase issue)

Who is online

Users browsing this forum: No registered users and 36 guests