DAWN the problem with device which doesn't obey (802.11rkv)

OpenWrt 22.03.5 , 2 dumb APs 802.11 rkv , DAWN (kicking 2) , wpad(full)

I have 4 smartphones:
#1 reacts on kicking (doesnt have 802.11r) HUaway 6A ) 70:8a:09:df:f1:bc
#2 reacts on kicking (has 802.11r) Huaway MadPAd10 ) ee:52:2a:09:59:ba
#3 doesn't reacts on kicking (but roams itself when -80Db) Alcatel X1 5c:77:76:93:38:cb
#4 doesn't reacts on kicking (Doesnt roam at all)China brend A100

..It looks like DAWN can mange only one device at once so you can imagine the scenarios:

  1. DAWN kicks #1

  2. #1 has been kicked and roamed to other AP

  3. DAWN can manage next device(all good)

  4. DAWN kicks #2

  5. #2 has been kicked and roamed to other AP

  6. DAWN can manage next device(all good)

  1. DAWN kicks #3

  2. #3 does not react and roams only if lelvel lower than -80dB

  3. if #3 didn't roamed DAWN permanently kicking #3 so no device on current AP will be managed whatsoever !(not good)

  4. DAWN kicks #4

  5. #4 does not react eg not roams (and wont roam)

  6. DAWN permanently kicking #4 so no device on current AP will be managed whatsoever anymore !(bad)

......................................
So it is all good and smooth till one of 2 smartphones(#3 or #4) stuck on far away AP so all device wont be kicked (because DAWN is busy kicking device which doesn't obey kicking) so how to make DAWN make lets say 4 kicking and then manage next device .
This is serios problem that makes all roaming not working!

My DAWN config:

config local
	option loglevel '0'

config network
	option broadcast_ip '192.168.22.255'
	option broadcast_port '1025'
	option tcp_port '1026'
	option network_option '2'
	option shared_key 'Niiiiiiiiiiiiick'
	option iv 'Niiiiiiiiiiiiick'
	option use_symm_enc '0'
	option collision_domain '-1'
	option bandwidth '-1'

config hostapd
	option hostapd_dir '/var/run/hostapd'

config times
	option con_timeout '100'     ##Timespan until a connection is seen as disconnected[60]
	option update_client '4'    ##Timer to refresh local connection information and send revised NEIGHBOR REPORT to all clients[10]
	option remove_client '4'   ##Timer to remove expired client entries from core data set[15]
	option remove_probe '8'    ##Timer to remove expired PROBE and BEACON entries from core data set[30]
	option remove_ap '460'        ##Timer to remove expired AP entries from core data set[460]
	option update_hostapd '4'    ##Timer to (re-)register for hostapd messages for each local BSSID
	option update_tcp_con '4'   ##Timer to refresh / remove the TCP connections to other DAWN instances found via uMDNS
	option update_chan_util '4'  ##Timer to get recent channel utilization figure for each local BSSID
	option update_beacon_reports '8'  ##Timer to ask all connected clients for a new BEACON REPORT[20]

config metric 'global'
	option min_probe_count '3'
	option bandwidth_threshold '128'
	option use_station_count '0'
	option max_station_diff '0'
	option eval_probe_req '0'
	option eval_auth_req '0'
	option eval_assoc_req '0'
	option kicking '2'
	option kicking_threshold '20'
	option deny_auth_reason '1'
	option deny_assoc_reason '17'
	option min_number_to_kick '1'
	option chan_util_avg_period '3'
	option set_hostapd_nr '0'
	option duration '0'
	option rrm_mode 'pat'

config metric '802_11g'
	option initial_score '80'
	option ht_support '5'
	option vht_support '5'
	option no_ht_support '0'
	option no_vht_support '0'
	option rssi '15'
	option rssi_val '-40'
	option low_rssi_val '-55'
	option low_rssi '-15'
	option chan_util '0'
	option chan_util_val '290'
	option max_chan_util '-15'
	option max_chan_util_val '300'
	option rssi_weight '0'
	option rssi_center '-60'

config metric '802_11a'
	option initial_score '100'
	option ht_support '5'
	option vht_support '5'
	option no_ht_support '0'
	option no_vht_support '0'
	option rssi '15'
	option rssi_val '-60'
	option low_rssi_val '-80'
	option low_rssi '-15'
	option chan_util '0'
	option chan_util_val '140'
	option max_chan_util '-15'
	option max_chan_util_val '170'
	option rssi_weight '0'
	option rssi_center '-70'

My wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option channel '5'
	option log_level '0'
	option txpower '17'


config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option key '1225612256'
	option ieee80211r '1'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'MSK-3'
	option bss_transition '1'
	option encryption 'psk2'
	option ft_over_ds '1'
	option disassoc_low_ack '0'
	option rrm_neighbor_report '1'
	option rrm_beacon_report '1'
	option max_inactivity '30'


also interesting question is how to set up neighbors (Space separated list of MACS to use in "static" AP Neighbor Repor)
as i understand i can make a list of MACs and they supposed to be different on each AP

How make neighbours staticcally?

Here Wireshark frame
AP MAC: 78:a3:51:7b:fa:54
Client MAC: ee:52:2a:09:59:ba

Frame 6931: 51 bytes on wire (408 bits), 51 bytes captured (408 bits) on interface \Device\NPF_{73821B95-2F48-4164-9757-0534C462273F}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{73821B95-2F48-4164-9757-0534C462273F})
        Interface name: \Device\NPF_{73821B95-2F48-4164-9757-0534C462273F}
        Interface description: Беспроводная сеть
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Jun  3, 2023 16:46:39.289287000 RTZ 2 (зима)
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1685799999.289287000 seconds
    [Time delta from previous captured frame: 0.000631000 seconds]
    [Time delta from previous displayed frame: 0.048123000 seconds]
    [Time since reference or first frame: 29.000016000 seconds]
    Frame Number: 6931
    Frame Length: 51 bytes (408 bits)
    Capture Length: 51 bytes (408 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 15
    Header revision: 0
    Header pad: 0
    Header length: 15
    Present flags
        Present flags word: 0x0000002a
    Flags: 0x50
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...1 .... = FCS at end: True
        ..0. .... = Data Pad: False
        .1.. .... = Bad FCS: True
        0... .... = Short GI: False
    Channel frequency: 0
    Channel flags: 0x0000
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..0. .... = Complementary Code Keying (CCK): False
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 0... .... = 2 GHz spectrum: False
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: 0 dBm
802.11 radio information
    Signal strength (dBm): 0 dBm
IEEE 802.11 Action, Flags: ........C
    Type/Subtype: Action (0x000d)
    Frame Control Field: 0xd000
    .000 0001 0011 1010 = Duration: 314 microseconds
    Receiver address: Shenzhen_7b:fa:54 (78:a3:51:7b:fa:54)
    Destination address: Shenzhen_7b:fa:54 (78:a3:51:7b:fa:54)
    Transmitter address: ee:52:2a:09:59:ba (ee:52:2a:09:59:ba)
    Source address: ee:52:2a:09:59:ba (ee:52:2a:09:59:ba)
    BSS Id: Shenzhen_7b:fa:54 (78:a3:51:7b:fa:54)
    .... .... .... 0000 = Fragment number: 0
    0001 1110 1010 .... = Sequence number: 490
    Frame check sequence: 0x0008003c [unverified]
    [FCS Status: Unverified]
IEEE 802.11 Wireless Management
    Fixed parameters
        Category code: Radio Measurement (5)
        Action code: Radio Measurement Report (1)
        Dialog token: 248
    Tagged parameters (5 bytes)
        Tag: Measurement Report
            Tag Number: Measurement Report (39)
            Tag length: 3
            Measurement Token: 0x01
            Measurement Report Mode: 0x0f
                .... ...1 = Late: Yes
                .... ..1. = Incapable: Yes
                .... .1.. = Refused: Yes
                0000 1... = Reserved: 0x01
            Measurement Report Type: Beacon Report (0x05)

Broadcast from client

Frame 6941: 101 bytes on wire (808 bits), 101 bytes captured (808 bits) on interface \Device\NPF_{73821B95-2F48-4164-9757-0534C462273F}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{73821B95-2F48-4164-9757-0534C462273F})
        Interface name: \Device\NPF_{73821B95-2F48-4164-9757-0534C462273F}
        Interface description: Беспроводная сеть
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Jun  3, 2023 16:46:39.334304000 RTZ 2 (зима)
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1685799999.334304000 seconds
    [Time delta from previous captured frame: 0.012983000 seconds]
    [Time delta from previous displayed frame: 0.012983000 seconds]
    [Time since reference or first frame: 29.045033000 seconds]
    Frame Number: 6941
    Frame Length: 101 bytes (808 bits)
    Capture Length: 101 bytes (808 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan:data]
Radiotap Header v0, Length 15
    Header revision: 0
    Header pad: 0
    Header length: 15
    Present flags
        Present flags word: 0x0000002a
    Flags: 0x50
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...1 .... = FCS at end: True
        ..0. .... = Data Pad: False
        .1.. .... = Bad FCS: True
        0... .... = Short GI: False
    Channel frequency: 0
    Channel flags: 0x0000
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..0. .... = Complementary Code Keying (CCK): False
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 0... .... = 2 GHz spectrum: False
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: 0 dBm
802.11 radio information
    Signal strength (dBm): 0 dBm
IEEE 802.11 QoS Data, Flags: .p.....TC
    Type/Subtype: QoS Data (0x0028)
    Frame Control Field: 0x8841
    .000 0000 0011 0000 = Duration: 48 microseconds
    Receiver address: Shenzhen_7b:fa:54 (78:a3:51:7b:fa:54)
    Transmitter address: ee:52:2a:09:59:ba (ee:52:2a:09:59:ba)
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Source address: ee:52:2a:09:59:ba (ee:52:2a:09:59:ba)
    BSS Id: Shenzhen_7b:fa:54 (78:a3:51:7b:fa:54)
    STA address: ee:52:2a:09:59:ba (ee:52:2a:09:59:ba)
    .... .... .... 0000 = Fragment number: 0
    0100 1010 1000 .... = Sequence number: 1192
    Frame check sequence: 0x007036f9 [unverified]
    [FCS Status: Unverified]
    Qos Control: 0x0000
        .... .... .... 0000 = TID: 0
        [.... .... .... .000 = Priority: Best Effort (Best Effort) (0)]
        .... .... ...0 .... = QoS bit 4: Bits 8-15 of QoS Control field are TXOP Duration Requested
        .... .... .00. .... = Ack Policy: Normal Ack (0x0)
        .... .... 0... .... = Payload Type: MSDU
        0000 0000 .... .... = TXOP Duration Requested: 0 (no TXOP requested)
    WEP parameters
        Initialization Vector: 0x00000c
        Key Index: 0
        WEP ICV: 0x0770d10f (not verified)
Data (48 bytes)

Clent MAC 70:8A:09:DF:F1:BC
AP MAC 78:a3:51:7b:fa:54

Who makes the decision to move to target_bssid=78:a3:51:7b:fa:54

daemon.info dawn: Client 70:8A:09:DF:F1:BC: Kicking due to low active data transfer: RX rate 9.000000 below 256 limit
daemon.notice hostapd: wlan0: BSS-TM-RESP 70:8a:09:df:f1:bc status_code=0 bss_termination_delay=0 target_bssid=78:a3:51:7b:fa:54

but other device respopnce is

daemon.notice hostapd: wlan0: BSS-TM-RESP 5c:77:76:93:38:cb status_code=7 bss_termination_delay=0

and they dont obey

daemon.notice hostapd: wlan0: BSS-TM-RESP ee:52:2a:09:59:ba status_code=0 bss_termination_delay=0 target_bssid=e0:e1:a9:b5:9d:03

so what is status_code anyway it can be 0 ,1 or 7 what are those statuses ?
and what is BSS-TM-RESP
ive noticed that if status_code !=0 it wont roam

Tue Jun  6 06:47:55 2023 kern.info kernel: [  118.363841] do_page_fault(): sending SIGSEGV to dawn for invalid read access from 77dff0b0
Tue Jun  6 06:47:55 2023 kern.info kernel: [  118.380540] epc = 00403c19 in dawn[400000+13000]
Tue Jun  6 06:47:55 2023 kern.info kernel: [  118.389805] ra  = 00403c17 in dawn[400000+13000]

What are those errors?


Tue Jun  6 06:49:26 2023 daemon.err dawn: connect_cb()=tcpsocket.c@319 Connection failed (ERROR)
Tue Jun  6 06:49:26 2023 daemon.err dawn: connect_cb()=tcpsocket.c@319 Connection failed (ERROR)