802.11r Fast Transition Stop Working after 24 hours

Hi,

I got 802.11r Fast Transition working with WPA2-PSK/WPA3-SAE Mixed mode between my two OpenWRT routers, LINKSYS E8450 and ASUS AX-4200. The problem is after about a day/24 hours, the fast roaming will stop working with following errors logged. If I disconnect my phone from the WIFI and connect again, the fast roaming will work again for another day.

Fri May 17 14:48:47 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:48:54 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:48:58 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:48:59 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:49:03 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:49:06 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:49:09 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri May 17 14:49:15 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed

The working evidence of fast roaming auth_alg=ft


Thu May 16 18:54:02 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 16 18:54:02 2024 daemon.info hostapd: wl1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: associated (aid 1)
Thu May 16 18:54:02 2024 daemon.notice hostapd: wl1-ap0: AP-STA-CONNECTED c2:cc:91:a4:e5:d7 auth_alg=ft

The fast roaming was set on 5G, same SSID, same encryption and password.

On WLAN Roaming time, only 802.11r Fast Transition is checked; all other settings are kept as default.

Can someone help?

Thanks a lot,

Both of the methods you are using can be problematic.

  • WPA2/WPA3 mixed mode (sae-mixed) does not work well on all client devices.
  • 802.11r is equally problematic on some client devices. Some do not roam properly when this standard is engaged.

Solutions:
Start by disabling both of these options.

With respect to encryption, you are far better off with WPA2 or WPA3 rather than mixed mode.

And with the 802.11r, turn that off, too and spend time optimizing your APs so that you can get good standard roaming performance (this usually means reducing the power on your APs and ensuring that they are using non-overlapping channels; if you can adjust the physical placement of the APs, that can also help in some situations).

You'll see that with both of these fixes, roaming can actually work nearly seamlessly; you can then try 802.11r if you want, but only after you've got a good foundation.

1 Like

My problem is not roaming, between each connection of WIFI and the timeout (about a day/24 Hours), the roaming is perfect.

Look like there is an expiry time somewhere which cannot be automatically renewed after 24 hours.

Try with R disabled, it should roam but .3s .. 1s in place of <.3s still keeping IP address and all connections.

If you want to explore further keep R but rise debug level to 1 (and set log size to keep at least 48h in memory with incresed log rate)
https://openwrt.org/docs/guide-developer/debugging#logging_hostapd_behaviour

That message is somewhat co-related but not the root cause. It is shown when adapter already contains the key, i.e you roamed A->B->A. 24h somehow matches mandatory WPA2 rekey period, it could bug something, but failing at R clients should do the slow connection (i.e 1.3s) as fallback. So you are looking for event that happens after that 24h continuous run but not before.

Level 1 log when the error happened.

Thu May 23 13:40:06 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:06 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:06 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:06 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:10 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:10 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:10 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:10 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:12 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:12 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:12 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:12 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:16 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:16 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:16 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:16 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:17 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:17 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:17 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:17 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:20 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:20 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:20 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:20 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:23 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:23 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:23 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:23 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:26 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:26 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:26 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:26 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:30 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:30 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:30 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:30 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:40:31 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:40:31 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:40:31 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:40:31 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)

Log when R was working.

Thu May 23 13:44:03 2024 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: authentication OK (FT)
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-AUTHENTICATE.indication(c2:cc:91:a4:e5:d7, FT)
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: association OK (aid 2)
Thu May 23 13:44:03 2024 daemon.info hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: associated (aid 2)
Thu May 23 13:44:03 2024 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED c2:cc:91:a4:e5:d7 auth_alg=ft
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 MLME: MLME-REASSOCIATE.indication(c2:cc:91:a4:e5:d7)
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 IEEE 802.11: binding station to interface 'phy1-ap0'
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 WPA: event 6 notification
Thu May 23 13:44:03 2024 daemon.debug hostapd: phy1-ap0: STA c2:cc:91:a4:e5:d7 WPA: FT authentication already completed - do not start 4-way handshake

Hope some one can fix the problem

Disable R to have clients reconnecting in a bit more than blink of an eye
Or if you want to experiment - try setting shorter rekey interval, and see if problem starts after rekey ?with old now invalid keys cached by kernel?