WiFi 802.11rkw disconnects all stations 5 days after boot

I create 2 AP on OpenWrt 23 enebled 802.11 rkv all works fine
but notice in 5-12 days all the sudden all STA got disconected ans all STA goes to other AP and they dont connect to the problem AP anymore,
if i reboot or reload wlan0 or just start/end scan wifi all works but why it hapend ? i got the moment in my log

10:59:09 2024 daemon.info hostapd: wlan0: STA 12:a2:c7:78:4d:cc IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
10:59:09 2024 daemon.debug hostapd: wlan0: STA 12:a2:c7:78:4d:cc MLME: MLME-DEAUTHENTICATE.indication(12:a2:c7:78:4d:cc, 2)
10:59:09 2024 daemon.debug hostapd: wlan0: STA 12:a2:c7:78:4d:cc MLME: MLME-DELETEKEYS.request(12:a2:c7:78:4d:cc)
10:59:31 2024 daemon.debug hostapd: wlan0: WPA GMK rekeyd
10:59:31 2024 daemon.debug hostapd: wlan0: WPA rekeying GTK
10:59:31 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.1X: did not Ack EAPOL-Key frame (broadcast index=0)
10:59:31 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: EAPOL-Key timeout
10:59:31 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: EAPOL-Key timeout
10:59:31 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: EAPOL-Key timeout
10:59:31 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: EAPOL-Key timeout
10:59:31 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: sending 1/2 msg of Group Key Handshake
10:59:31 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: EAPOL-Key timeout
10:59:31 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: sending 1/2 msg of Group Key Handshake
10:59:32 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.1X: did not Ack EAPOL-Key frame (broadcast index=0)
10:59:32 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: EAPOL-Key timeout
10:59:32 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: sending 1/2 msg of Group Key Handshake
10:59:32 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: EAPOL-Key timeout
10:59:32 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: sending 1/2 msg of Group Key Handshake
10:59:32 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: EAPOL-Key timeout
10:59:32 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: sending 1/2 msg of Group Key Handshake
10:59:32 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: EAPOL-Key timeout
10:59:32 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: sending 1/2 msg of Group Key Handshake
10:59:32 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: EAPOL-Key timeout
10:59:32 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: sending 1/2 msg of Group Key Handshake
10:59:33 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.1X: did not Ack EAPOL-Key frame (broadcast index=0)
10:59:33 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: EAPOL-Key timeout
10:59:33 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: sending 1/2 msg of Group Key Handshake
10:59:33 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: EAPOL-Key timeout
10:59:33 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: sending 1/2 msg of Group Key Handshake
10:59:33 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: EAPOL-Key timeout
10:59:33 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: sending 1/2 msg of Group Key Handshake
10:59:33 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: EAPOL-Key timeout
10:59:33 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: sending 1/2 msg of Group Key Handshake
10:59:33 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: EAPOL-Key timeout
10:59:33 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: sending 1/2 msg of Group Key Handshake
10:59:34 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.1X: did not Ack EAPOL-Key frame (broadcast index=0)
10:59:34 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: EAPOL-Key timeout
10:59:34 2024 daemon.info hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: group key handshake failed (RSN) after 4 tries
10:59:34 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: WPA_PTK: sm->Disconnect
10:59:34 2024 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 22:96:4e:88:8e:7a
10:59:34 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a WPA: event 3 notification
10:59:34 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a IEEE 802.1X: unauthorizing port
10:59:34 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: EAPOL-Key timeout
10:59:34 2024 daemon.info hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: group key handshake failed (RSN) after 4 tries
10:59:34 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: WPA_PTK: sm->Disconnect
10:59:34 2024 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED b6:b8:a2:c2:05:b2
10:59:34 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 WPA: event 3 notification
10:59:34 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 IEEE 802.1X: unauthorizing port
10:59:34 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: EAPOL-Key timeout
10:59:34 2024 daemon.info hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: group key handshake failed (RSN) after 4 tries
10:59:34 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: WPA_PTK: sm->Disconnect
10:59:34 2024 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 6e:64:fa:ff:86:29
10:59:34 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: event 3 notification
10:59:35 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.1X: unauthorizing port
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: EAPOL-Key timeout
10:59:35 2024 daemon.info hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: group key handshake failed (RSN) after 4 tries
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: WPA_PTK: sm->Disconnect
10:59:35 2024 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 54:ef:33:58:bc:6e
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e WPA: event 3 notification
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e IEEE 802.1X: unauthorizing port
10:59:35 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 MLME: MLME-DEAUTHENTICATE.indication(6e:64:fa:ff:86:29, 16)
10:59:35 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 MLME: MLME-DELETEKEYS.request(6e:64:fa:ff:86:29)
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: EAPOL-Key timeout
10:59:35 2024 daemon.info hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: group key handshake failed (RSN) after 4 tries
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: WPA_PTK: sm->Disconnect
10:59:35 2024 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED a8:31:62:5e:ec:df
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df WPA: event 3 notification
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df IEEE 802.1X: unauthorizing port
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e MLME: MLME-DEAUTHENTICATE.indication(54:ef:33:58:bc:6e, 16)
10:59:35 2024 daemon.debug hostapd: wlan0: STA 54:ef:33:58:bc:6e MLME: MLME-DELETEKEYS.request(54:ef:33:58:bc:6e)
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df MLME: MLME-DEAUTHENTICATE.indication(a8:31:62:5e:ec:df, 16)
10:59:35 2024 daemon.debug hostapd: wlan0: STA a8:31:62:5e:ec:df MLME: MLME-DELETEKEYS.request(a8:31:62:5e:ec:df)
10:59:36 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a MLME: MLME-DEAUTHENTICATE.indication(22:96:4e:88:8e:7a, 16)
10:59:36 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a MLME: MLME-DELETEKEYS.request(22:96:4e:88:8e:7a)
10:59:36 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a MLME: MLME-DEAUTHENTICATE.indication(22:96:4e:88:8e:7a, 16)
10:59:36 2024 daemon.debug hostapd: wlan0: STA 22:96:4e:88:8e:7a MLME: MLME-DELETEKEYS.request(22:96:4e:88:8e:7a)
10:59:36 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 MLME: MLME-DEAUTHENTICATE.indication(b6:b8:a2:c2:05:b2, 16)
10:59:36 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 MLME: MLME-DELETEKEYS.request(b6:b8:a2:c2:05:b2)
10:59:36 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 MLME: MLME-DEAUTHENTICATE.indication(b6:b8:a2:c2:05:b2, 16)
10:59:36 2024 daemon.debug hostapd: wlan0: STA b6:b8:a2:c2:05:b2 MLME: MLME-DELETEKEYS.request(b6:b8:a2:c2:05:b2)
10:59:39 2024 daemon.info hostapd: wlan0: STA 22:96:4e:88:8e:7a IEEE 802.11: deauthenticated due to local deauth request
10:59:39 2024 daemon.info hostapd: wlan0: STA b6:b8:a2:c2:05:b2 IEEE 802.11: deauthenticated due to local deauth request
10:59:40 2024 daemon.info hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: deauthenticated due to local deauth request
10:59:40 2024 daemon.info hostapd: wlan0: STA 54:ef:33:58:bc:6e IEEE 802.11: deauthenticated due to local deauth request
10:59:40 2024 daemon.info hostapd: wlan0: STA a8:31:62:5e:ec:df IEEE 802.11: deauthenticated due to local deauth request

Can anyone determinate what couses the problem?
And i notice this isue only whatn my APs configurated like one FT domain
This is one of my wireless config


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option txpower '19'
	option cell_density '0'
	option country 'RU'
	option beacon_int '100'
	option log_level '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFiAP'
	option encryption 'psk2'
	option key '12345678'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'MSK-3'
	option bss_transition '1'
	option ifname 'wlan0'
	option max_inactivity '60'
	option disassoc_low_ack '0'
	option dtim_period '3'
	option mobility_domain '1111'
	option reassociation_deadline '20000'
	option ieee80211w '1'


Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

board

root@kika_2:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "kika_2",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "COMFAST CF-E110N v2",
        "board_name": "comfast,cf-e110n-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

network

root@kika_2:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

root@kika_2:~#

DHCP

root@kika_2:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'
        option master '1'
        option dhcpv6 'disabled'
        option ra 'disabled'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@kika_2:~#

firewall

root@kika_2:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

root@kika_2:~#

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option txpower '19'
	option cell_density '0'
	option country 'RU'
	option beacon_int '100'
	option log_level '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFiAP'
	option encryption 'psk2'
	option key '12345678'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'MSK-3'
	option bss_transition '1'
	option ifname 'wlan0'
	option max_inactivity '60'
	option disassoc_low_ack '0'
	option dtim_period '3'
	option mobility_domain '1111'
	option reassociation_deadline '20000'
	option ieee80211w '1'

Both STA are dumb APs
when AP disconect all the STA in luci interface wireless all looks good

That is easily derivable from config.

Does it disconnect if you disable all kvr?

Looks like rekey did not go down well, but they should have roamed to other radio at this point.
Are all clients same? Likely they do not like 11R and rekey. Disabling 11R roaming will take 1.3s ipo 0.3s, others assist dawn or usteer to help clients find better AP.

1 Like

No usteer and no DAWN
i use script that execute 1 command when wifi STA signal levle lower than -70dB
on boot i eneble evrythin by command:

ubus call hostapd.$wlan bss_mgmt_enable "{ 'neighbor_report': true, 'beacon_report': true, 'link_measurements': true, 'bss_transition': true }"
ubus call hostapd.wlan0 bss_transition_request '{ "addr": "B6:B8:A2:C2:05:B2", "disassociation_imminent": true, "disassociation_timer": 7, "validity_period": 30, "neighbors": ["e0e1a9b593d3ef090000510b070603000b00"], "abridged": true }'

And all works fine actually for days
All the client are the same all the time
And they all romed to the other AP and they stay there even if thay got disconected they come back to the same AP
is it posible to fix this problem ?

Could be that during rekey 2 seconds low signal was wrongly reported and your script did the punching?

i didnt get it , there are 4 devices and some of them wifi cameras and some smartphones, my script only execute offer to go to other AP and if STA has less than 8Mbit MSC disassociation_timer=0 secunds so no dissociation and if more disassociation_timer=7 secunds
I dont understand punching there is no other comand than dissatiate
i can only say one thing for sure at that moment script didnt do anything so that means all 4 devices had good signal and wasnt trigered by my script
Some says it is option wpa_group_rekey problem but disabling wll weaken encription

Add logger in your script.

my script does log all events that goes in my script
what else i can add?
also i see R0 Key Lifetime in wifi roaming settings which by default suposed to be 10 000 minutes (6.9 days ) but it was 5 days and anyway why rekign makes it probem idk.
is there any way i can see R0 Key Lifetime somwhere in system like how many minutes to next rekying etc

There is hostapd_cli , shows a bit more than iw or iwinfo

the problem is it happens once within 5-14 days so i cant do anything for now
first i will try to wpa_group_rekey make 60 seconds like it is recomended some says
I have noticed the failure rate increases as wpa_group_rekey on hostapd is increased: 3% failure at 60, 25% at 600, 87% at 3600, and 99% at 86400
maybe it will help
adn check logs for WPA_PTK: sm->Disconnect if it happens

You do not need 11R to successfuly roam across. You can even check for "FT" in places you see "RSN" in your log -if it ever succeeded.

I need FT for smartphones that uses that tecnology and it works.
Actually all works fine for 5 days
wpa_group_rekey rekeys keys every 10 minutes so about 144 times a day
and then next rekeys and all the connected STA didnt answer so rekying is not complete and AP dissaciates all the STA that is not responced for rekying
and after that none can connect to this AP.
You think that disablimg 802.11r can solve this problem and somehow affects reking process?

Question is whether FT ever succeeded. If not then you can safely disable it.

1 Like

FT works checked many times

Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: binding station to interface 'wlan0'
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: authentication OK (FT)
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 MLME: MLME-AUTHENTICATE.indication(6e:64:fa:ff:86:29, FT)
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: association OK (aid 3)
Mon Sep  9 19:54:36 2024 daemon.info hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: associated (aid 3)
Mon Sep  9 19:54:36 2024 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 6e:64:fa:ff:86:29 auth_alg=ft
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 MLME: MLME-REASSOCIATE.indication(6e:64:fa:ff:86:29)
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 IEEE 802.11: binding station to interface 'wlan0'
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: event 6 notification
Mon Sep  9 19:54:36 2024 daemon.debug hostapd: wlan0: STA 6e:64:fa:ff:86:29 WPA: FT authentication already completed - do not start 4-way handshake

1 Like

Disable it anyway.