Ath10k mesh plink blocked when using lots of clients and encryption

Goal: establish 5Ghz encrypted mesh network between many ath10k OpenWRT devices (5+)
Problem: when using encryption, the first two-three clients connect flawlessly, withing seconds, but new clients will come in plink: BLOCKED state, and after 4 minutes (problably a timeout value) they will finally be in ESTAB.

Our setup:
We followed to setup the initial mesh network. Package used is wpad-mesh-wolfssl.

Network config is:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option country 'NL'
        option channels '36-48'
        option htmode 'HT40'
        list supported_rates '18000 24000 36000 48000 54000'
        list basic_rate '18000 24000 36000 48000 54000'
        list require 'n'
        option channel '36'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option disassoc_low_ack '1'
        option maxassoc '80'
        option isolate '0'
        option ssid 'OUR SSID'
        option encryption 'psk2'
        option key 'our_psk2_key'

config wifi-iface 'mesh'
        option device 'radio0'
        option network 'mgt'
        option mode 'mesh'
        option mesh_id 'mesh_id_here'
        option encryption 'psk2'
        option key 'our_mesh_key'
        option disabled '0'

When we enable the mesh interface, you'll see that the devices will come in LISTEN state first, after that some will move to ESTAB, and the rest will be BLOCKED.

Test setup:

  • iw dev wlan0 station dump | grep plink
  • enable mesh interface on other devices
  • see what's happening

The problem starts when we add more than 3 devices to the mesh.

After that we switched to wpad-mesh-openssl. Same problems, but now the problem starts when we have more than 6 devices (3 more than wolfssl).

The docs say that we could manually 'unblock' a station by using
iw dev $MESH_IFACE station set $MAC_TO_UNBLOCK plink_action open
from the iwfull package. However, this doesn't work:
command failed: Invalid argument (-22)
which is the same error found in a bug report of >4 years ago:

To make sure we don't use authsae, I removed wpad-mesh-openssl, and installed hostapd + wpa-supplicant-mesh-openssl, but the error is the same.

Interesting is that iw dev $MESH_IFACE station set $MAC_TO_UNBLOCK plink_action block works to block a client.

We also tried to play with the timeouts you can configure with iw mesh_param (found at We tried with low values, we tried with high values, but to no avail.


  • Problem only with encrypted mesh
  • If using >3 (wolfssl) or >6 clients (openssl), the devices go to BLOCKED state
  • plink_action open doesn't work
  • using 18.06 and master (ar71xx and ath79) with ath10k drivers (candela tech has no mesh support).

How can we avoid clients going to BLOCKED state while using encryption?