BIG BUG- Unicast key exchange timeout

Junim · Thu Aug 07, 2008 2:40 am

Mikrotik 3.x have a bug with WPA and WPA2.

In wpa, wpa2, tkip or aes... all configuration log: "unicast key exchange timeout" or "GROUP KEY EXCHANGE TIME OUT" or something else.

See topics:

http://forum.mikrotik.com/viewtopic.php ... nicast+key
my post - http://forum.mikrotik.com/viewtopic.php ... hilit=wpa2
http://forum.mikrotik.com/viewtopic.php ... nicast+key

Nobody solved the problem.
Does the 3.12 will right?

Jawssaus · Sun Aug 17, 2008 5:40 am

Excactly the same problem (error) here. Its a link between a RB133C and RB600 with R51H cards.
They are running software version 3.13
WPA2 encryption

lehonk · Sat Dec 13, 2008 2:01 pm

Any news on this topic?

We are still having these issues with Linksys Clients and WPA/WPA2 encryption.

fx242 · Sat Dec 20, 2008 3:03 am

I was stuck with this error for ages! I recently found a workaround by changing the security profile to use WPA AES CCN (as the only option)! Maybe the problem is the TKIP support or something with the protocol negotiation.
Hope this helps, as i've tried before with different NICs (R52 and Gigabyte) and different clients (atheros and ralink) but my RB333 always filled the log with those errors.

TL

chernobyl · Sun Dec 21, 2008 1:08 am

This are mine log events

- AP side (RB333, ROS 3.9, firmware 2.14)

18:03:01 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
18:07:31 wireless,info 00:0C:42:xx:yy:zz@wlan2: disconnected, group key exchange timeout
18:07:35 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
18:07:40 wireless,info 00:0C:42:xx:yy:zz@wlan2: disconnected, unicast key exchange timeout
18:07:45 wireless,info 00:0C:42:xx:yy:zz@wlan2: connected
/interface wireless registration-table print stats
...
interface=wlan2 radio-name="000C42XXYYZZ" mac-address=00:0C:42:XX:YY:ZZ ap=no wds=no rx-rate="36Mbps" tx-rate="24Mbps" packets=361,350
bytes=22139,25685 frames=361,358 frame-bytes=20297,24481 hw-frames=857,375 hw-frame-bytes=76109,39224 tx-frames-timed-out=0 uptime=14m53s
last-activity=930ms signal-strength=-80dBm@36Mbps signal-to-noise=19dB
strength-at-rates=-77dBm@6Mbps 3s350ms,-77dBm@9Mbps 14m47s610ms,-77dBm@12Mbps 14m39s960ms,-80dBm@18Mbps 14m20s950ms,-79dBm@24Mbps 16s750ms,
-80dBm@36Mbps 930ms,-78dBm@48Mbps 35s870ms
tx-signal-strength=-81dBm tx-ccq=69% rx-ccq=78% p-throughput=16214 ack-timeout=50 nstreme=no framing-mode=none routeros-version="2.9.51"
last-ip=172.16.2.57 802.1x-port-enabled=yes authentication-type=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm compression=no
wmm-enabled=no

- Client side (RB133C3, ROS 2.9.51, firmware 2.12)

18:03:01 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx
18:07:31 wireless,info 00:0C:42:aa:bb:cc@wlan1: lost connection, got deauth: group key handshake timeout (16)
18:07:35 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx
18:07:40 wireless,info 00:0C:42:aa:bb:cc@wlan1: lost connection, got deauth: 4-way handshake timeout (15)
18:07:45 wireless,info 00:0C:42:aa:bb:cc@wlan1 established connection on 5320, SSID xx

Ok, signal maybe is not so good, but this problem happens also with Nanostation, which take minutes to reconnect, also after a power cycle.

lehonk · Mon Dec 29, 2008 4:15 pm

I was stuck with this error for ages! I recently found a workaround by changing the security profile to use WPA AES CCN (as the only option)! Maybe the problem is the TKIP support or something with the protocol negotiation.
Hope this helps, as i've tried before with different NICs (R52 and Gigabyte) and different clients (atheros and ralink) but my RB333 always filled the log with those errors.

Well, at least i have a direction to work in now. My next step would have been to change NICs, but I'll trust in your experience.

kbyrd · Fri Apr 03, 2009 10:05 pm

i got around this problem in a very complicated way, the problem appeared to be that the wds-slaves would try to connect to ap with default security profile but the ap side of the wds-slave would use the profile1 of the security profile.

there are 4 wds-slaves using profile1 and 1 ap bridge

when ap bridge is set to profile1 i get the key exchange timeout, so what i did was have the 4 wds-slaves set to profile1 with the wpa2 turned on and the ap bridge one set to default on security profiles and all 4 connect fine and pass traffic and you have to use the passkey to connect to the wds-slaves but the ap is set to wide open.

so now 4 work fine but main is not secure, so i did access-list rules to only allow the repeaters to connect to wlan1 interface and hid ssid on the ap-bridge and on the repeaters i put a connect-list to make the repeaters connect to the wlan1 with the mac address and another rule to not connect to anything else, then on the ap-bridge i created a virtual ap with the same ssid as wlan1 and set that security profile to profile1 and all is good.

now passkey works on all ap's

if you can filter through all my ramblings it may make sense but its running with wds-slaves and wpa2 and basicly the main ap is set to default and the repeaters have a security profile. So it looks like the client side of wds-slave uses default and the ap side uses whatever you set in the wireless settings. it did work at first just comes and goes like its a bug that randomly uses the default or just doesnt use encryption.
ill do some test where instead of adding profile1 ill just edit default and see if it works.

cdiggity · Mon Apr 06, 2009 9:54 am

I have never been able to get WDS aka ap-bridge mode and WPA (psk) to work on routeros 3.x. Windows can connect fine but mikrotik to mikrotik ap-bridge WPA-PSK can not, nor have I ever heard of anyone having it working. I think it is safe to say it's broken! Feel free to prove me wrong.

This page: http://wiki.mikrotik.com/wiki/Mesh_wds shows a config for WPA-EAP which does seem to work for ap-bridge mode (after very brief testing) but windows clients complain they can't find a certificate.

I wouldn't call this thread dead, it is just a long standing defect in routeros. Lots of people seem to have this problem and the only answer to have windows clients and mikrotik WDS from the same SSID is to use WEP, which is only marginally better than no security at all.

Mon Apr 06, 2009 11:37 am

WDS and WPA is working between two mikrotik routers.
First make sure that you have specified the correct security profile in the connect-list if you are using it.
Second, we recommend to use wds-mode=dynamic-mesh or static-mesh as it has better link establishemnt for WDS and with that WAP will work better. Note that those new WDS modes are not compatible with the old ones.

cdiggity · Tue Apr 07, 2009 7:37 am

I am not using the connect list. I have the MAC addresses specified with wds mode static.

wds-mode=dynamic-mesh and static-mesh don't appear in the manual nor can anyone find out anything them.

WDS using ap-bridge and wds-mode=static with WPA-psk does not work on mikrotik routeros. It is broken until someone can prove otherwise by providing a working example.

iddqd · Thu Jun 18, 2009 10:03 pm

WDS and WPA is working between two mikrotik routers.
First make sure that you have specified the correct security profile in the connect-list if you are using it.
Second, we recommend to use wds-mode=dynamic-mesh or static-mesh as it has better link establishemnt for WDS and with that WAP will work better. Note that those new WDS modes are not compatible with the old ones.

GREAT!! It work!
I suffered with this problem 3 days. Simply fine that has found a way out!
Here sample config I used:

#main AP
/interface wireless add name=mesh_static mac-address=00:0C:42:QQ:XA:ZZ ssid=mesh_static master-interface=wlan1 \
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=map1 master-interface=mesh_static wds-address=0:0C:42:QQ:XB:ZZ disabled=no ;
/interface wireless wds add name=map2 master-interface=mesh_static wds-address=0:0C:42:QQ:XC:ZZ disabled=no ;
/interface wireless wds add name= map3 master-interface=mesh_static wds-address=0:0C:42:QQ:XD:ZZ disabled=no ;

#map1
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XB:ZZ ssid=mesh_static master-interface=wlan1 \
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

#map2
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XC:ZZ ssid=mesh_static master-interface=wlan1 \
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

#map3
/interface wireless add name=mesh_static mac-address=0:0C:42:QQ:XD:ZZ ssid=mesh_static master-interface=wlan1 \
security-profile=secure hide-ssid=yes wds-mode=static-mesh wds-default-bridge=bridge1 disabled=no;
/interface wireless wds add name=main_ap master-interface=mesh_static wds-address=0:0C:42:QQ:XA:ZZ disabled=no ;

cdiggity · Sat Aug 22, 2009 1:59 am

WDS and WPA is working between two mikrotik routers.
First make sure that you have specified the correct security profile in the connect-list if you are using it.
Second, we recommend to use wds-mode=dynamic-mesh or static-mesh as it has better link establishemnt for WDS and with that WAP will work better. Note that those new WDS modes are not compatible with the old ones.

The solution to this problem was to use the SAME SSID on all the APs.

For the static/dynamic-mesh modes the same SSID must be used as noted in the wiki they don't support "WDS IGNORE SSID".

I have also found that static/dynamic WDS modes won't work with WPA unless the same SSID is used, regardless of the "WDS IGNORE SSID" checkbox.

cdiggity · Fri Jan 22, 2010 2:13 am

I've found that using dynamic-mesh for WDS with WPA encryption does 'work', but isn't useable: the links frequently reset with messages like "no beacons received" or "class 2 frame received (6)" even when there are no clients around to connect to the APs.

I've Changed some radios from AP-bridge to station-wds and the links do not reset for months. Of course now clients can't connect to those radios.

while it is possible to do WDS with WPA in theory, in practice it doesn't work well enough.

Thought I'd better post what I have discovered to save someone else 1.5 years of frustration.

pastranini · Thu Jul 01, 2010 11:11 pm

HI i have the same problem.

If the link has not security the link works great.

Im using wpa2 and the link is good for 1 or 2 hours, but inmeadeatly falls down.

I use wep, wpa, and suddenly the log shows the message unicast key exchange timeout.

I am thinking to change the cards, I dont not how solve this problem.

Advicess ¡¡¡¡¡

thejinx · Sat May 07, 2011 2:37 pm

exact the same problem and no solution

enk · Sun May 08, 2011 11:23 am

Sometimes "unicast key exchange timeout" happens when time is not synchronized between APs. Use NTP for this purpose.

thejinx · Wed May 11, 2011 2:34 pm

i try it and no way to get a better link

bridge --------- station perfect link, no AP
ap-bridge ------ station-wds work with encryption, need AP functions, 2-3 reconnects per week

ap-bridge ------ ap-bridge work with no encryption
ap-bridge ------ slave-wds failed to select channel, no link
ap-bridge ------ ap-bridge (WPA or WPA2) unicast key exchange timeout

singal at -70
CCQ 98-100%
it is definitly a ROS problem

is it not possible to get a working WDS with ap-bridge (WPA PSK) mode ?

kalamees · Mon Aug 22, 2011 12:14 pm

Same problem here. My only solution was to use mac autentification since our organisation is small but it is not working now. How to fix this???

Tue Aug 23, 2011 12:31 pm

Same problem here. My only solution was to use mac autentification since our organisation is small but it is not working now. How to fix this???

what problem exactly you have? What is your setup?

kalamees · Tue Aug 30, 2011 11:11 am

Some clients are able to connect but most of them can only connect through mac registration tables. We had couple of new computers coming and but now they cant connect even through registration table authentication. It says "unicast key exchange timeout" on router and invalid password on client. They are using intel 3945 wireless cards with tkip ciphers.

Any help would be greatly appreciated.

Posted my configuration here

0  R name="wlan1" mtu=1500 mac-address=00:0C:42:18:95:A7 arp=enabled 
      interface-type=Atheros AR5413 mode=ap-bridge ssid="EYL-2.4G" 
      frequency=2412 band=2.4ghz-b/g scan-list=default antenna-mode=ant-a 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=wpa compression=no

0 name="default" mode=none authentication-types="" unicast-ciphers="" 
   group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" 
   supplicant-identity="EYL-VS-01" eap-methods=passthrough 
   tls-mode=no-certificates tls-certificate=none static-algo-0=none 
   static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none 
   static-key-2="" static-algo-3=none static-key-3="" 
   static-transmit-key=key-0 static-sta-private-algo=none 
   static-sta-private-key="" radius-mac-authentication=no 
   radius-mac-accounting=no radius-eap-accounting=no interim-update=0s 
   radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username 
   radius-mac-caching=disabled group-key-update=5m 
   management-protection=disabled management-protection-key="" 

 1 name="wpa" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk 
   unicast-ciphers=tkip group-ciphers=tkip wpa-pre-shared-key="*******" 
   wpa2-pre-shared-key="********" supplicant-identity="EYL-VS-01" 
   tls-mode=no-certificates tls-certificate=none static-algo-0=none 
   static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none 
   static-key-2="" static-algo-3=none static-key-3="" 
   static-transmit-key=key-0 static-sta-private-algo=none 
   static-sta-private-key="" radius-mac-authentication=no 
   radius-mac-accounting=no radius-eap-accounting=no interim-update=0s 
   radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username 
   radius-mac-caching=disabled group-key-update=5m 
   management-protection=disabled management-protection-key=""

evert · Tue Oct 25, 2011 3:05 pm

Same problem for me. Trying to connect a Netgear UNIVERSAL WIFI RANGE EXTENDER (WN3000RP), but am unable to, thanks to this 'feature'...

Please fix asap!

Tue Oct 25, 2011 3:23 pm

try to switch to AES instead of TKIP.

evert · Tue Oct 25, 2011 3:58 pm

try to switch to AES instead of TKIP.

No luck. I have tried disabling tkip en enabling aes for both unicast & group ciphers, but i keep getting the same errors...

karentom · Wed May 09, 2012 12:46 pm

I have same/similar issue?

Configuration: RB433 latest MTik 5.15 as AP and several wireless clients (win xp, win 7) are connected.
One of the clients - new DELL Latitude E5520 with WIFI Intel Centrino Advanced-N 6205 (win xp sp3, latest drivers, latest BIOS) randomly breaks wireless connection and MTik log says unicast key exchange timeout. Other clients seems ok.

MTik wireless configuration:

/interface wireless security-profiles
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm group-key-update=5m interim-update=0s management-protection=allowed mode=dynamic-keys name=xxx unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=XXXXXXXXXXX

I tried earlier mentioned "workaround" to disable tkip in group-ciphers and unicast-ciphers but problem still exists.
I also tried downgrade to 5.14 and it is slightly better situation because it happens less but it still exist

Is this BUG supposed to be solved in 5.15 or is it possible that this BUG still exist? Please help! It is a horrible problem to figure it out the solution or workaround!

karentom · Thu May 10, 2012 9:26 am

I post here wireless, debug log and this is typical process of connection break which happens randomly: Here it is:

06:08:45 wireless,info XX:XX:XX:XX:XX:XX@wlan1: connected
06:20:27 wireless,debug wlan1: XX:XX:XX:XX:XX:XX attempts to associate
06:20:27 wireless,info XX:XX:XX:XX:XX:XX@wlan1: reassociating
06:20:27 wireless,info XX:XX:XX:XX:XX:XX@wlan1: disconnected, ok
06:20:27 wireless,debug wlan1: XX:XX:XX:XX:XX:XX not in local ACL, by default accept
06:20:27 wireless,info XX:XX:XX:XX:XX:XX@wlan1: connected
06:20:32 wireless,info XX:XX:XX:XX:XX:XX@wlan1: disconnected, unicast key exchange timeout
06:20:32 wireless,debug wlan1: XX:XX:XX:XX:XX:XX attempts to associate
06:20:32 wireless,debug wlan1: XX:XX:XX:XX:XX:XX not in local ACL, by default accept
06:20:32 wireless,info XX:XX:XX:XX:XX:XX@wlan1: connected
06:20:37 wireless,info XX:XX:XX:XX:XX:XX@wlan1: disconnected, unicast key exchange timeout
06:20:37 wireless,debug wlan1: XX:XX:XX:XX:XX:XX attempts to associate
06:20:37 wireless,debug wlan1: reject XX:XX:XX:XX:XX:XX, banned (last failure - unicast key exchange timeout)
06:20:37 wireless,debug wlan1: XX:XX:XX:XX:XX:XX attempts to associate
06:20:37 wireless,debug wlan1: reject XX:XX:XX:XX:XX:XX, banned (last failure - unicast key exchange timeout)
06:20:50 wireless,debug wlan1: XX:XX:XX:XX:XX:XX attempts to associate
06:20:50 wireless,debug wlan1: XX:XX:XX:XX:XX:XX not in local ACL, by default accept
06:20:50 wireless,info XX:XX:XX:XX:XX:XX@wlan1: connected

Can someone please give me a hint?

karentom · Sat May 12, 2012 12:09 am

Anyone, please help. Any opinion is very appreciated! I am googling around and I have found lots of post about this error - log: unicast key exchange timeout, but no solutions - just one to disable TKIP but this does not work. Is there someone from MTik team or other experts that has some experiance with wifi random dropouts and this log in Mtik.

Takv2011 · Sun May 20, 2012 5:37 am

didit7039 · Tue Jul 17, 2012 8:15 am

Same issue in here. I already upgrade the version on my mikrotik (RB411UAHL) become version 5.18 but the error "unicast key exchange timeout" still occurred.

didit7039 · Fri Jul 20, 2012 1:14 pm

Still facing same problem, even already upgrade again with the latest version 5.19 in RB411AR and RB411U.
Does any one can help?

Regards,

addictedtobass · Fri Jul 20, 2012 8:53 pm

I had same error ("disconnected, unicast key exchange timeout"), the problem was...Dune media player, which located near my MikroTIk router. When I switched Dune off, I connected to my RB/751G-2HnD successfully. So if you have this problem, try to power off all devices except MikroTik and your WiFi device.

didit7039 · Mon Jul 30, 2012 9:30 am

But... There's no dune-hd near around the mikrotik. Do you have any other suggestion ?
Thx

macsrwe · Mon Jul 30, 2012 2:55 pm

I put up a new tower a couple weeks ago, and had this problem right off the bat. The problem turned out to be a sour radio card on the AP (in my case, a UBNT XP2). Apparently the crypto hardware went faulty. Replaced the card with a MikroTik radio and it's been smooth sailing since. Try replacing your radio card?

samsung172 · Mon Jul 30, 2012 9:47 pm

downgrade to 4.17 and turn off encryption. Problem solved.

Issue happend if some radio device not following correct standard in encryption. Seen this issue a lot in hotspots, where you newer know who is connecting.

didit7039 · Mon Aug 13, 2012 11:50 am

Already monitor for 1 week (on RB411U and RB411AR) and yes... this issue were solved when we downgrade the firmware become v4.17.
Thx for the advice before ...

Regards,

leon84 · Fri Sep 07, 2012 3:45 pm

Hi to all,
I have your same problem. Is there a solution?

samsung172 · Sat Sep 15, 2012 8:57 pm

Dont use 5.X.

kevigizmo · Mon Oct 22, 2012 8:26 pm

I had an issue today with the unicast key exchange time out,

after sifting through every conceivable wireless setting on my RB751G-2HnD using ROS v5.21 (as i was making some small changes to improve things), I found what the issue was..

this morning i added some more packages to my board, one of which was NTP package,

from reading parts of this post about NTP servers ect and not synchronizing i thought ill disable the NTP package i put on this morning.. Job Done! no more unicast timeouts :p

Kev

magnavox · Wed Mar 27, 2013 10:50 pm

I have now this issue.
Release 5.24 (also 5.20).

Please help me

Rukicc · Fri Aug 16, 2013 7:24 pm

The same problem with RouterOS 6.1 and Windows XP, with Windows 7 as client all is ok.
NEW security profile created from GUI.

unicast key exchange timeout

Resolution:
Create copy of existing (default) security profile and then change password and other settings witch is needed. and all works.....

rmerch1 · Fri Oct 18, 2013 3:52 am

The same problem with RouterOS 6.1 and Windows XP, with Windows 7 as client all is ok.
NEW security profile created from GUI.
Code: Select all
unicast key exchange timeout
Resolution:
Create copy of existing (default) security profile and then change password and other settings witch is needed. and all works.....

What other settings did you have to change?

Rukicc · Sat Oct 19, 2013 4:02 pm

After creating a copy of default profile. Changed was only Password and profile name.

Amidamaru · Thu Dec 05, 2013 8:45 pm

double post..see below.

Amidamaru · Thu Dec 05, 2013 8:50 pm

After creating a copy of default profile. Changed was only Password and profile name.

Nope. It doesn't worked this way either. I've updated my MikroTik 2011 wifi AP router with the latest OS, 6.7.

After 2 DAYS of hell I've finally discovered that the reported BUG of "unicast key exchange timeout" isn't not resolved and no matter what I've tried the WPA2 auth method simple doesn't work.

All my clients, Nexus tablets, Nexus phones, Android, etc have connected and then dropped off.

I've successfully make it works using WPA with AES option though. Overall isn't such a big deal because I can protect this router using other in place solutions as wifi access list.

BUT, come one MikroTik's tech guys, is such difficult to resolve this stupid BUG and make us happy? There are a lot of other low cost options which have this WPA2 option in place and most important, WORKING!!!

Thanks from a new MikroTik owner.

hwmonkey · Mon Dec 30, 2013 12:34 am

I am having the same problem on an RB2011 after updating from 6.5 to 6.7

/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no antenna-gain=0 area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=\
    20/40mhz-ht-above compression=no country=no_country_set \
    default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
    0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=\
    no disconnect-timeout=3s distance=indoors frame-lifetime=0 frequency=2412 \
    frequency-mode=manual-txpower frequency-offset=0 hide-ssid=yes \
    ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
    ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 \
    ht-guard-interval=any ht-rxchains=0,1 ht-supported-mcs="mcs-0,mcs-1,mcs-2,\
    mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-\
    14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" \
    ht-txchains=0,1 hw-fragmentation-threshold=disabled hw-protection-mode=\
    none hw-protection-threshold=0 hw-retries=7 interworking-profile=disabled \
    l2mtu=2290 mac-address=D4:CA:6D:AA:AA:68 max-station-count=2007 mode=\
    ap-bridge mtu=1500 multicast-buffering=enabled multicast-helper=default \
    name=wlan noise-floor-threshold=default nv2-cell-radius=30 \
    nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
    BEOT rate-selection=advanced rate-set=default scan-list=default \
    security-profile=default ssid=MikroTik \
    station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power=22 tx-power-mode=\
    all-rates-fixed update-stats-interval=disabled wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
    disabled wireless-protocol=any wmm-support=disabled
add area="" arp=enabled bridge-mode=enabled comment=PASSWORD-wifi \
    default-ap-tx-limit=0 default-authentication=no default-client-tx-limit=0 \
    default-forwarding=yes disable-running-check=no disabled=no hide-ssid=no \
    interworking-profile=disabled l2mtu=2290 mac-address=D4:CA:6D:AA:AA:69 \
    master-interface=wlan max-station-count=2007 mtu=1500 \
    multicast-buffering=enabled multicast-helper=default name=wlan0_PASSWORD \
    proprietary-extensions=post-2.9.25 security-profile=default ssid=\
    ValidSSID update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no wds-mode=\
    disabled wmm-support=disabled

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=\
    passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled management-protection-key="" mode=\
    dynamic-keys mschapv2-password="" mschapv2-username="" name=default \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
    none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
    "PASSWORD\?" wpa2-pre-shared-key="PASSWORD\?"

alexjhart · Wed Jan 15, 2014 5:56 pm

By chance, are you guys (v6.7) using spaces or dashes in your WPA/2 key? I am and found that removing those (at least on a VirtualAP) allowed me to connect with the devices having trouble.

rhurst · Thu Jan 16, 2014 3:26 am

I had the same issue two things that fixed it for me.

one run NTP and sync ap and clients. problem gone.

The other make sure you copy the default security profile and then edit it don't just create a new one. fixed problem with or without Ntp getting synced at least for me.. good luck.

Also not all clients seem to be affected with this issue before the fixes. My dell laptop would never see this but my wife's lenovo would spam the log full of this error before I fixed it.

logg · Thu Mar 27, 2014 12:49 pm

hi, i have same problem
hw metal 5shpn
it is impossible to have a similar problem and no one is interested to solve it.
I have to think again about the professionalism of mikrotik and its products?

vipnet · Fri May 30, 2014 3:48 pm

I have same problem

RV 6.13 RB951G-2HnD

Fri May 30, 2014 4:02 pm

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

saintofinternet · Thu Jun 12, 2014 1:40 pm

how do i solve this as i have 20 desktops attached to a RB-SXT ( Desktops are of different brands with different NIC's )

and all clients keep getting disconnected ..... it is running ROS 6.11

please help at earliest....

Thu Jun 12, 2014 2:20 pm

please upgrade the RouterOS to v6.14 and try out the wireless-fp package.
Also we would recommend to reset the wireless configuration and reconfigure only the settings you need.

koolandrew · Tue Jun 24, 2014 5:05 pm

This is crazy. I have upgraded to 6.15 and this bug still exists. I cannot connect with an android device, even when i put the MAC address in the access list.

It just started happening with v 6.13 and now it cannot connect.

Mikrotik, i have followed this thread and it has gone on for about six years. You really need to take this seriously, as it doesnt appear that you have.

I have other wireless issues with Mikrotik and now this!

mveloso · Thu Jul 03, 2014 5:47 am

RESOLVED:

In our case, we were using MAC Address as Username and at the radreply some MAC Addresses were in lowercase, and at radcheck the same MAC Addresses wer in Uppercase.

This difference made Radius not send a complete radius reply message, so MK disconnected and then reject and banned those MAC Addresses.

We've solved this problem after migrating from MySQL to PostgreSQL. Apparently our MySQL was not differentiating lowercase from uppercase.

I hope this may help you.

saintofinternet · Thu Jul 10, 2014 5:13 am

we are talking of simple AP<-->Client connectivity. its nothing to do with databases etc.

i am now on 6.15 and still the same problem. using AES as security standard.

SXT is the AP and around 20 Windows desktops and laptops. even the ping gives a "Request time out" after every 10 to 15 pings.

saintofinternet · Thu Jul 10, 2014 5:16 am

ok...now i have tried increasing the Group Key Exchange Timeout to ' 01:00:00 '

don't know how much will this help but atleast it has stopped disconnecting frequently....

.

samsung172 · Fri Jul 11, 2014 3:27 am

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Well - Why do you see this about 90% more often With random Devices Connected - and never mikrotik - mikrotik? This is related to encryption in ros - and random Device connecting. Solution - Turn off encryption or change to WEP (at least better) Also old 4.17 have less issues than 5.x and 6.x. Signal might trigger some - But this is also seen in good signal enviroments.

LordBinary · Tue Sep 23, 2014 11:07 am

Set Band to B/G only

berker · Tue Dec 23, 2014 2:26 pm

SOLVED:

The problem just about with NTP.
Make all devices NTP client address same and lean back.

saintofinternet · Thu Jun 11, 2015 2:14 pm

SOLVED:

The problem just about with NTP.
Make all devices NTP client address same and lean back.

how do you do that with Windows clients connecting to RB-SXT

saintofinternet · Tue Jun 30, 2015 6:12 pm

somebody from Mikrotik please address this... as this issue is still existing and causing me loose clients....

lost almost 3 till now... i would appreciate if Mikrotik could give a firm solution at earliest...

all devices running ROS Ver 6.27

dmitriyt · Thu Aug 27, 2015 2:23 pm

I have a RB2011-UiAS-2HnD @ ROS 6.31.
It is 2 wireless interfaces configured: wlan1 (real one) and VirtualAP (for guests), both WPA2-PSK with AES. All things was OK until yesterday, when I've decided to add ACL MAC authentication for the main AP. After that it is became impossible to connect from any guest devices, including those ones who works earlier flawlessly. "...unicast key exchange timeout..." starts to appear in the Log.
I've checked a lots of things, including mentioned earlier in this thread, but without success.
But is seems that I've found workaround (at least for my case)!
Password for the VirtualAP was like "XXXX-XXXX", i.e. contained "-" sign. When I've changed password to just "XXXXXXXX" bug mysteriously disappeared. I've checked several times switching keys back and forth between "XXXX-XXXX" and "XXXXXXXX" , and it seems that at least in my case "-" is the source of the problem.
Interestingly, that the key for the wlan1 (real one) remains with a lots of special symbols (including "-") and works well.

jp88 · Sat Sep 05, 2015 3:54 pm

I had 951G-2HnD running on ROS v6.31 when wifi suddenly stopped working on all devices - Android phones + Panasonic TV with following records in log:

Sep/05/2015 14:16:35 wireless,info ...@wlan1: connected
Sep/05/2015 14:16:40 wireless,info ...@wlan1: disconnected, unicast key exchange timeout

I did upgrade to v6.33, stop NPT completely, etc. and nothing helped. Then I just re-typed my pre-shared key and devices were able to authenticate.

It is weird as everything was working fine and then suddenly devices were not able to authenticate. It looked like the key was suddenly lost because I was not able to show it when I unchecked "Hide Passwords" check box in winbox. Once I re-typed the key and devices were able to connect I was also able to see the key with unchecked "Hide Passwords" option.

saintofinternet · Thu Sep 10, 2015 9:22 am

i am harassed by that problem everyday and no help from Mikrotik till date...

angboontiong · Wed Sep 23, 2015 1:15 pm

Is there any solution for this ???

Wed Sep 23, 2015 2:13 pm

Try to disable management protection if enabled and set group key update interval to 1hour. Use wpa2 psk aes only. Then check if it is better. If not check the link quality with problematic client.

Chinezupwnz · Wed Sep 23, 2015 4:36 pm

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)

saintofinternet · Fri Oct 16, 2015 6:52 am

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)

this happens without DHCP too.... so there is no actual way out....

Fri Oct 16, 2015 7:37 am

I had 951G-2HnD running on ROS v6.31 when wifi suddenly stopped working on all devices - Android phones + Panasonic TV with following records in log:
Code: Select all
Sep/05/2015 14:16:35 wireless,info ...@wlan1: connected
Sep/05/2015 14:16:40 wireless,info ...@wlan1: disconnected, unicast key exchange timeout
I did upgrade to v6.33, stop NPT completely, etc. and nothing helped. Then I just re-typed my pre-shared key and devices were able to authenticate.

It is weird as everything was working fine and then suddenly devices were not able to authenticate. It looked like the key was suddenly lost because I was not able to show it when I unchecked "Hide Passwords" check box in winbox. Once I re-typed the key and devices were able to connect I was also able to see the key with unchecked "Hide Passwords" option.

happened to me six months ago, but not any more im on 6.30.4

BlackCat · Thu Oct 22, 2015 6:47 pm

Same happening for me with mobile devices connected to RB2011UiAS-2HnD-IN ( ROS v. 6.33rc30 )

Are there any workarounds for this?

Chinezupwnz · Thu Nov 12, 2015 3:22 pm

workaround- just go to DHCP settings and put a longer lease time (not the default 5 minutes)
this happens without DHCP too.... so there is no actual way out....

Ok it seems latest version brought it back.... i don't know what to do now.

jfrater · Sat Nov 14, 2015 3:37 am

This happened to me today with an antenna running 6.31.

Since 6.31 has the password bug (where it literally changes passwords to asterisks) I had to change my password on the AP to "**********" let the client connect, do the upgrade to 6.33 and only then change the passwords back.

Just in case this happens to someone else...

Chinezupwnz · Mon Nov 16, 2015 5:13 pm

I want to mention this send death, happens just on iphone (2 iphone 5s with different IOS versions and 1 iphone 4 with lower version of IOS). The thing is that it happens a lot more on the never iphones than on the older.

I have connected other devices with android, ps4 wi-fi laptops, and it doesn't happen.

If someone has another idea what else we can do.

Chinezupwnz · Thu Nov 19, 2015 12:22 pm

Please help

Chinezupwnz · Fri Nov 27, 2015 10:11 am

I'm sorry that i'm spamming, but what should we do ? (everyday i'm looking and its at least 5-6 people that are watching this topic)
Open a ticket to support ?

LE: seems 6.33.1 fixed the issue.

slavisar · Tue Dec 01, 2015 2:56 am

Since 6.33.1 I have lost wpa2 capability. Devices affected are GrooveA 5HPn, SXT G-2HnD and RB2011UiAS-2HnD-IN.
When establishing wpa2 connection, AP log says "unicast keys exchange timeout", then connection drops.
If connection is set unencrypted, everything works ok. I have also tried PTP bridge configuration, but no luck.
I also have tried to downgrade to earlier versions of routeros, but wpa2 still does not work (???).

ivanluiz · Mon Dec 14, 2015 4:54 pm

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.

Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.

saintofinternet · Tue Dec 15, 2015 11:27 am

i still have not figured out how to solve the problem. i am not able to sell any more AP due to this issue.

can anyone from Mikrotik seriously look into this.

RowdyDog · Sun Dec 27, 2015 8:40 pm

This age of this issue is 5 years! Is there no response from MikroTik?

djidji77 · Sat Jan 02, 2016 5:06 am

the only solution is to put all **** for password???!! Mikrotik, WTF??? I mean, seriously??

saintofinternet · Mon Jan 04, 2016 11:52 am

the only solution is to put all **** for password???!! Mikrotik, WTF??? I mean, seriously??

really????

akosenko · Sat Jan 30, 2016 1:40 pm

I confirm this problem too. I get this problem if I use wireless-fp-xxxx-mipsbe.npk or wireless-cm2-xxxx-mipsbe.npk packages in any wireless ap mode (b, b/g, b/g/n). If I use package wireless-xxxx-mipsbe.npk only in b/g ap mode then wpa/wpa2 working fine without any "Unicast key exchange timeout" error. I think problem in these packages wireless-fp-xxxx-mipsbe.npk, wireless-cm2-xxxx-mipsbe.npk. Mikrotik team do you have any comments about my theory?

Plnt · Fri Feb 26, 2016 12:38 pm

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.
Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.

I have the same problem with hAP ac which I installed just few days ago. It's happening only on the 2.4GHz wlan, 5GHz wlan is working fine. I had hAP lite before on the same place with the same configuration and clients. It was working fine without this issue.

saintofinternet · Fri Feb 26, 2016 1:32 pm

The issue seems to have flared up since the last update and I am wondering why is Mikrotik so damn quiet on this still??

Plnt · Fri Feb 26, 2016 6:54 pm

it is not a bug, this error means that your wireless link is not good quality, and enctypted link could not be established.
Normis, I am using the new mikrotik hAP AC and the same error is happening. Even with clients to five meters from the AP.
I have the same problem with hAP ac which I installed just few days ago. It's happening only on the 2.4GHz wlan, 5GHz wlan is working fine. I had hAP lite before on the same place with the same configuration and clients. It was working fine without this issue.

I tried couple of changes in configuration of hAP ac and I think I found a workaround. If I disable wireless-cm2 package and enable wireless-fp instead everything seems to work fine. I'm running RouterOS 6.34.2. I'm not completely sure if this can be related but so far it looks good. I'll report results after few days.

Update 02/03/2016: I upgraded to the latest 6.35rc15 RC version of RouterOS and switched to wireless-rep driver. It still happens from time to time but it's much better than with RouterOS 6.34.2. It seems that the problem is probably caused by worser sensitivity of the 2.4GHz radio in hAP ac in comparison with hAP lite. Also I can't say for sure that upgrade fixed the issue or there was some strong interference during the time I was running RouterOS 6.34.2.

sszbv · Wed Mar 23, 2016 10:24 am

On a RB411 with 6.34.2 I get this error (unicast key exchange timeout) with a Microsoft Lumia 650 and a Microsoft Surface Pro 3.
This started happening after I switched to the wireless-cm2 package and after a big Windows 10 update. So it's unclear if this has to do with RouterOS or with Windows 10.
It usually happens when the phone or the tablet wakes from sleep. The tablet restores the connection after a while, but the phone never restores the connection. Only after a reboot it will work again.
It only happens with the Windows 10 devices, no problems with iOS or Android.

Does anyone else experience this error?

saintofinternet · Thu Mar 24, 2016 3:56 am

i am really bothered about this problem... it's started cropping up very very very frequently now....

just before this post all the 15 computers connected to the RB-SXT2 were disconnected and now had to be manually connected.

sent a SUPOUT file to Mikrotik but they have not bothered to reply... it's been almost more than a month.

pcunite · Thu Mar 24, 2016 5:44 am

Has anyone tried changing to 5Ghz to see if the issues still occur there? It maybe interference.

drazovic · Tue Mar 29, 2016 12:27 pm

This bug make me crazy...
Maybe problem can be too many wireless clients around router...so I tried to put freq which are less used...but without hope, tried all versions of RouterOS - no hope, tried to change encryption from WPA2-AES to WPA-TKIP - no hope, tried to remove MAC filtering - no hope, tried with NTP changes - no hope...
There are many firmware updates, but there is still no fix for this killing-bug. Do someone from Mikrotik support guys reading this 6y old topic???

How can we contact support officially about this problem?

cameronhall · Mon Apr 18, 2016 12:12 pm

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.

pcunite · Mon Apr 18, 2016 7:19 pm

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.

2.4Ghz or on the 5Ghz channels?

Mon Apr 18, 2016 8:43 pm

i want to report 6 months without the issue on rb951g and rb951ui actually i am on ros 6.34 and wireless-fp and cm2 packages

macak91 · Fri Apr 22, 2016 8:48 pm

Hello,

I also have the same problem...it seems it started with the last upgrade (a few days ago).

I am connected to an AP, browsing the web and then suddenly I loose connection. I am using WPA2 AES, AP is 951G-2HnD. I tried solutions with copying default profile, reseting wireless configuration, lowering power, but the problem exists.

When I get disconnected I sometimes get the "Group key exchage timeout", but mostly "disconnected, received disassod: sending station leaving (8). With this SSID this is the only AP, so the notebook has nowhere to "switch".

Is this a bug or what Mikrotik? This thread is old, but the problem is still occuring. What now?

cameronhall · Sun Apr 24, 2016 3:30 am

Is anyone else still having this issue? I'm getting Unicast key exchange timeouts at least once a day on my hap ac (6.34)
I've increased the group key update time but I still get disconnected.
2.4Ghz or on the 5Ghz channels?

Only on the 2.4Ghz Channel, the 5hgz is running in station mode

pejot · Mon May 16, 2016 12:52 pm

On 6.35.2 same error
F/W: 3.27
RouterBOARD 952Ui-5ac2nD

Gandalf56 · Sun May 22, 2016 11:17 pm

Hello Community,

i also got this Unicast key exchange timeout error about every 30 minutes and tried many things but finally found a SOLUTION, verified it, its also reproducible.

My Configuration:
3 WIFI-Devices (Laptop, Android Tablet, Smartphone) connecting sometimes to "WIFI-Network1" and sometimes to "WIFI-Network2"

i got this error on both Routerboards with all connected devices.

WIFI1: Routerboard:RB951G-2HnD, Firmware 3.33, installed Version: 6.35.2, wireless-fp Package
WIFI2: Routerboard 962UiGS-5HacT2HnT (hAP ac), Firmware 3.31, installed Version: 6.35.2, wireless-cm2 Package

Security Profile Settings on Both Routers: WPA2 PSK AES ONLY, Ciphers: aes ccm ONLY and different WPA2 Pre-Shared Keys, all other settings at Standard, no Connect List and no Access List in use.

WIFI-Config Routerboard:RB951G-2HnD:
ap bridge, Band: 2GHz-B/G/N, 2447 MHz, Channel Width: 20/40MHz Ce, no Radio Name, unique SSID hidden, all other settings Standard, ARP Enabled

WIFI-Config Routerboard 962UiGS-5HacT2HnT (hAP ac):
ap bridge, Band: 2GHz-only-N, 2452 MHz, Channel Width: 20/40MHz Ce, no Radio Name, unique SSID hidden, all other settings Standard, ARP Enabled

First i have to say that i exported the config from my RB951G and imported it to the hAP ac and noticed that the MAC-Addresses of all Interfaces also has been exported and imported into the new RouterBoard Config.

###############

1.So first check your Interfaces if you have a similar situation like me described above, reset the MAC Address, and maybe create a new Bridge Interface because this MAC cannot be resetted.

2. Then check your Packages
Open Winbox, go to System -> Packages -> Check Installation of wireless-cm2 Package/wireless-fp Package - sometimes this Update fails (for my RB951 for example 2 times), then download it manually from mikrotik website and install it again.

3. But the real solution for me was to change the Wireless INTERFACE Name, in my config both was only named "WLAN".
After this Change restart of the Wireless Interfaces is needed too.

Changing both names to an unique Interface Name solved the "Unicast key exchange timeout error" for me.

In this way i also changed all other Interface Names to unique ones.

Maybe this helps you out, try it

@Mikrotik: please check if this is a bug or feature

############Update: I made some Test just for the sake: ############
changed Frequency on both Routerboards to 2412 MHz

now i have a stable WIFI-Connection since 11 hours in fully crowded 2412 MHz Network with 8 other Stations near me and both Routerboards 20cm away from each other, 2 clients connected.

I also tried to reproduce this problem again, now after changing back both Interface names back to "WLAN" error no longer appeared, also stable Connection since 1 hour.

veranson · Sat Jun 18, 2016 10:53 pm

nothing helps. Worth PSK2 with aes

Do not are working some devices such as the Samsung tablet. In an open network, all devices are connected and working

LaZyLion · Sun Jul 31, 2016 10:16 pm

Hi all

I'm adding my two cents to the issue as well. This is now July 31 of 2016.
Eight years of an ongoing issue! oh well.

I'm using ROS 6.36 on all devices involved.

Devices are in AP Bridge mode, same SSID, same AES WPA2 key
All set up by script so no typo's.

The devices connect and work great for a couple hours, then just they disconnect and won't reconnect without divine intervention.

This happens both in the field and in my home lab (aka the living room).

I'm trying a work around a good friend of mine suggested:

The master device should be AP-Bridge mode, but the nodes should be in WDS-Slave mode.
I don't know what the actual difference is between the two but.....

I have let this run and it seems to be stable as long as I don't touch anything.

On the Master (which is connected to my modem):

/interface wireless
set [ find default-name=wlan1 ] name="WiFi-Link(main)" ssid="Link" mode=ap-bridge \ 
security-profile=Link  frequency=2452  distance=dynamic  hide-ssid=no \ 
preamble-mode=both allow-sharedkey=yes wps-mode=disabled allow-sharedkey=yes disabled=no \
wds-default-bridge=bridge wds-mode=dynamic ;

On the Node (which the computers usually connect to):

/interface wireless
set [ find default-name=wlan1 ] name="WiFi-Link(main)" ssid="Link" mode=wds-slave \ 
security-profile=Link frequency=2452 distance=dynamic hide-ssid=no \ 
preamble-mode=both allow-sharedkey=yes wps-mode=disabled allow-sharedkey=yes disabled=no \
wds-default-bridge=bridge wds-mode=dynamic ;

You can see that the only difference between the two commands is the mode=

A couple Notes:

These are the settings I had to use to make it work. Whenever I'm testing setups I like to mess around and break things
until I know what is actually needed and what is trivial. All these seem to be needed as of this posting.
I may edit this post down the road as I learn more. Please feel free to contribute what you find.

On the master you can use a virtual-ap for the link, but on the node I had to use the main radio.
I can then add a virtual-ap on the node so that the laptops connect to a different ssid with a different wpa2 key

The security profile is just a standard wpa2 setup. Nothing special.

I'm using wds-mode=dynamic but you can use wds-mode=static if you know the mac addresses of the devices.
I've played briefly with dynamic-mesh but didn't notice any difference.

6.36 appears to have introduced WPS and I'm not having it!!!!!
But in my case, none of my equipment has a button or is publicly accessible.

Hope this helps.

Roy

aios · Wed Aug 03, 2016 5:44 pm

Hi everyone!

Yeah, after years of using Mikrotik routers now I experience issue that I can't resolve.

We bought RB951G-2HnD router (ROS 6.33) and set up it with default configuration. It worked good (with some rare drops) but suddenly WiFi started to drop connections more often. At first few times in a day and now it's so often that work is impossible. Sometimes it's about 5 times in 30 minutes.

Log shows - Unicast key exchange timeout, read all forum and tried countless suggested solutions but none of them works. Really want to throw router in a trash.
Is it possible that this is caused by large interference (~60 devices around)?

Configuration at the moment.

 0  R name="wifi" mtu=1500 mac-address=xx:xx:xx:xx:xx:xx arp=enabled interface-type=Atheros AR9300 mode=ap-bridge 
      ssid="xxxxxxxx" frequency=2467 band=2ghz-b/g/n channel-width=20/40mhz-Ce scan-list=default 
      wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=static-mesh wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 
      hide-ssid=no security-profile=default compression=no

Thu Aug 04, 2016 8:50 am

Update to latest stable and change the group key timeout from 5 minutes to 1hour. If you already have not tried it. Maybe it helps. Use wireless rep package.

volkirik · Fri Aug 05, 2016 1:02 pm

change the group key update time from 5 minutes to 1 hour.

axelf · Wed Aug 31, 2016 7:39 pm

It's weird, but it helps WiFi password change. It is necessary to change the pattern of symbols in the password and use the symbol "#".
I use letters, numbers and "#".

tano · Sat Sep 17, 2016 10:29 pm

Hello,

I have the same issue on a Mikrotik RB951G-2HnD ( FW 6.36.3 ) in a single AP home configuration .

All my devices can connect to the wireless network, except two host ( a raspberrypi running librelec and a alienware m11x R1 laptop ) even when they're roughly 3m far from the AP .
I've followed the tips in the previous posts ( changing the frequency \ security profile \ ... ) with no go .

PavelJ · Sat Feb 18, 2017 5:42 pm

Hello,

I have the same issue on a Mikrotik RB951G-2HnD ( FW 6.36.3 ) in a single AP home configuration .

All my devices can connect to the wireless network, except two host ( a raspberrypi running librelec and a alienware m11x R1 laptop ) even when they're roughly 3m far from the AP .
I've followed the tips in the previous posts ( changing the frequency \ security profile \ ... ) with no go .

Hi, I now resolved an issue with old laptop running Win10, which started refusing connection to my Mikrotik hAP ac (2,4GHz wifi), probably after modifiing Mikrotik's configuration. Restart of laptop didn't help. All other devices are connected without problem.

Mikrotik log when trying to connect this laptop:
13:21:25 ... wlan1: connected
13:21:30 ... wlan1: disconnected, unicast key exchange timeout
13:21:30 ... wlan1: connected
13:21:35 ... wlan1: disconnected, unicast key exchange timeout
13:22:03 ... wlan1: connected
13:22:08 ... wlan1: disconnected, recieved deauth: unspecified (1)

Resolution:
In Win10 changed WiFi configuration in Device manager -> WiFi adapter-> Properties -> Advanced (enabled WMM and mixed mode protection) = laptop connected to WiFi. Then I disabled both functions again, and WiFi connection is still working.

Think, that would also help changing any other value - there was probably need to rewrite wifi settings only.

PavelJ

колбаскин · Tue Mar 21, 2017 12:05 pm

Same issue with WPA2 PSK and iphone
Try:
Disable WDS Mode
Check WDS Ignore SSID
Change Group Key Update to 30min

10:50:39 wireless,info 78:C3:E9:E6:7B:4A@neonmobile: connected
10:52:05 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:52:11 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:52:12 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:52:17 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:53:05 wireless,info EC:1F:72:BD:C3:E0@neonmobile: connected
10:53:10 wireless,info EC:1F:72:BD:C3:E0@neonmobile: disconnected, unicast key exchange timeout
10:53:26 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:53:31 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout
10:53:43 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: connected
10:53:48 wireless,info E0:2C:B2:7A:1F:F8@neonmobile: disconnected, unicast key exchange timeout

What need to do?

beamzer · Sat Mar 25, 2017 3:23 pm

I had the same problem on a raspberry pi with a certain wifi usb adapter,
when i change the for other types, the worked, so i assume for me it's something
in the driver (r8712u) which doesn't work well with Mikrotik.
I did not have these problems on my previous access point (different brand).

Alwest · Mon May 22, 2017 3:50 pm

I had the same issue ("disconnected, unicast key exchange timeout") on ROS 38.5. I fixed it with decreasing HW-retries parameter to 4.
Maybe it wil help somebody)

saintofinternet · Fri Jun 30, 2017 5:29 am

till date i am faced with this draconian issue of Unicast timeout disconnecting all the clients on the wireless network.... the frequency is far too much to handle. clients are just chucking out the systems...

wonder if i should continue to sell mikrotik wifi products....

mikrotik_error.png

Stril · Fri Sep 22, 2017 8:39 am

Hi!

I had that problem, too, yesterday.

The reason was a short WPA2-key. Changing it to a longer key solved the problem for me.

Regards,
Stril

Fri Sep 22, 2017 9:19 am

Stril - What was the length of original key? Minimums key length is 8 symbols and key length should not affect this (exchange timeout) in any way.

fmikker · Tue Oct 17, 2017 11:13 pm

The same issue appeared in my Routerboard 2011 RB after upgrading to RouterOS v6.40.4 (stable).
Don't know if it is related, but I haven't noticed it in the logs before.

58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout
58:F8:D1:6D:17@wlan1: connected
-	deassigned 192.168.88.18 from 2C:59:8A:62:9C:BA
59:8A:62:9C:BA@wlan1: connected
-	assigned 192.168.1.12 to 2C:59:8A:62:9C:BA
58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout
58:F8:D1:6D:17@wlan1: connected
58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout
58:F8:D1:6D:17@wlan1: connected
58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout
58:F8:D1:6D:17@wlan1: connected
58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout
58:F8:D1:6D:17@wlan1: connected
58:F8:D1:6D:17@wlan1: disconnected, unicast key exchange timeout

marianob85 · Fri Nov 03, 2017 11:16 pm

Have the same today when trying connect RaspberryPi3 with Windows 10 IoT :/

aAP ac, 6.40.4

Anyone know solution for this ?

disconnected, unicast key exchange timeout

cantanko · Thu Nov 09, 2017 5:11 pm

Hello,

Also seeing this on a wAP-2nD-r2 that was working just fine on 6.40.4, upgraded to 6.40.5 and now have this:

14:37:04 wireless,info 90:3A:E6:15:AE:C7@wlan: connected
14:37:09 wireless,info 90:3A:E6:15:AE:C7@wlan: disconnected, unicast key exchange timeout
14:40:11 wireless,info 90:3A:E6:15:AE:C7@wlan: connected
14:40:16 wireless,info 90:3A:E6:15:AE:C7@wlan: disconnected, unicast key exchange timeout
14:44:29 wireless,info 90:3A:E6:15:AE:C7@wlan: connected
14:44:34 wireless,info 90:3A:E6:15:AE:C7@wlan: disconnected, unicast key exchange timeout

Client is a Tesla Model S (!), AP is a wAP-2nD-r2. Rock solid until this point, and even downgrading to the (previously working) 6.40.4 hasn't fixed it. Car is on firmware revision 2017.42.a88c8d5 and hasn't changed in the last couple of weeks, and neither has the config in the wAP... Very odd...

EDIT: Did upgrade the Routerboard's firmware at that stage also from 3.27 -> 3.41 - not sure if that is in any way related...

graudeejs · Tue Nov 14, 2017 9:33 pm

Today I tried my newly purchased router.
I experienced the same issue.

What solved problem for me was changing WiFi password to 18 characters.
Once that worked I tried to WiFi password with 20 characters and problem started again.
After that changed password to 18 characters and it was all good again.

Wed Nov 15, 2017 3:30 pm

I use longer than that wifi passwords without any kind of problems.

Mikhail73 · Sun Nov 19, 2017 10:55 pm

Same problem: ROS 6.40.5, Cap Lite - Apple TV. Mikrotik, WHEN WILL YOU SOLVE THIS PROBLEM?!

Sun Nov 19, 2017 11:26 pm

i think the issue is related with the use of symbols (different from letter and numbers) in psk, i only use numbers and letters and no problem in years

MadEngineer · Mon Nov 20, 2017 11:44 am

I came across this issue a wee while back. Problem was a single Android mobile phone kept generating this error on a Mikrotik AP while other devices were fine. Cause was another Mikrotik connected to the AP but with a very low signal.

meristo · Sat Dec 30, 2017 8:40 pm

Hello guys,

for delete this error I put only AES for crypt and delete TKIP, with this setting error disappear...

Hope this help someone

Oliver96 · Thu Apr 19, 2018 12:55 am

Hi Guys!

My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.

Hope it works for you

Regards

Oliver

saintofinternet · Fri Aug 24, 2018 4:06 pm

that's a discovery... let me try it too!

myleskeller · Thu Oct 25, 2018 7:13 am

Hi Guys!

My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.

Hope it works for you

Regards

Oliver

Created an account just to say that this also worked for me.
I just replaced my previous Tenda AC router with a MikroTik and used my previous SSID and WPA key.
All devices connected seamlessly to the new router except my Google home Minis, which would only function on the 2.4GHz band, where they used 5GHz on the Tenda.
Changed the channel width on wlan2 from "20/40/80MHz Ceee" to "20/40/80MHz eeeC" and they connected immediately during setup.
Haven't seen "unicast key exchange timeout" in the logs since. Hopefully I'll have no further updates to post regarding this issue and that this may resolve this problem for some of you as well.

slavko989 · Fri Mar 04, 2022 1:42 am

It's March 2022!
I can't believe that Mikrotik devs still haven't addressed this issue. I lost an entire day because of this, trying EVERY POSSIBLE solution people here posted for 6+ years! NOTHING!

I have a problem connecting a TP-LINK WA850RE (v7) to my Mikrotik wifi. I tried every option in Winbox on both security profile and wifi configuration even DHCP etc.
I tried connecting the repeater to a few other routers and it works. Only Mikrotik noooopeeeeeeeee.

I also updated routerOS to the latest 7.1.1 stable from 6.46.6 and also tried 6.49.4 in the process. Nope. Cleared the settings, tried setting it up from scratch... nope. This is a pity.

I have finaly given up. I decided that I will not lose my mind over something even a 15$ Chinese router is able to do. But not Mikrotik. Connect with a device.

dmq · Fri Mar 04, 2022 2:37 pm

Unfortunately I am suffering on the same issue. I thought this thread is dead, so I created an own description here:

viewtopic.php?t=183808&sid=8c5c2a8fd6b4 ... c0b5ba8801

1) sync times between station and access point
2) switches between Auth Modes and Encryption Standards: AES CCMP / TKIP etc.
3) modfied group key interval to 01:00:00 / one hour
4) changed channel width between 20mhz and 20mhz - 40mhz
5) fixed channel
6) changed PSK in size and char variation (somewhat freaky)
7) installed three different os versions / versions of kernel modules

I have ROS 7.1.2 on MikroTik rb4011igs+5hacq2hnd-in.

Problem Adapter is a: RTL8191SU 802.11n WLAN with r8712u.

I also invested many many hours - I can not change anything - I really like my MikroTik setup but these systems (5) are important for me. Maybe I have to got back to Turris on the weekend (but actually I don't want).

grillotron · Tue Apr 19, 2022 11:29 pm

hi everyone, I have managed to solve it only by returning to the factory firmware version - downgrade
... and key cannot contain special characters

dadoCA · Tue May 10, 2022 8:17 pm

Same, here. Problem between three routerboards, in WDS mode. Tried dynamic and static WDS, tried changing passwrds, changing ssid name, changing frequencies, all 20/40 combinations. There are no other APs nearby, so inteferences are not a problem. Reset all routerboards to factory default. Updated all routerboards to 6.49.6(stable). (hap lite rb941, rb951 and rb751). RB951 configured as main router with internet access, and DHCP server enabled,other two routerboard configured as ap bridge, I tried wds slave mode also. The connection lasts for about 5min, then it gets disconnected, with unicast key exchange timeout message in log.

Albirew · Thu May 12, 2022 5:37 pm

on my side, this bug appeared when one RB used an user-created security profile and the other edited default security profile...
the fix was to not mix default and user-created security profile on RB, so both on edited-default security profile or either both on user-created security profile...

MikeKulls · Thu Jul 14, 2022 12:35 pm

This thread has now been going for 14 years with very limited response from Mikrotik. I have been getting this issue also across a wireless link between 2 Mikrotik devices. The problem is fairly random so I think a lot of the proposed solutions might not work. From what I understand the 2 devices exchange a new encryption key every 5 mins by default and if that process fails for some reason then it will drop the connection. I have a suspicion this could be CPU related because it was a lot worse on an older slower device. If this is just key exchange timeout couldn't they just retry for longer? Waiting an extra 10 seconds to update the key surely isn't the end of the world.

Just to add to the potential solutions I have seen. I've listed anything I've seen even if they didn't work for me.
- Set adaptive noise immunity to ap and client mode
- Pick a clear channel
- Use 20MHz channel width
- Increase disconnect timeout (this was in Mikrotik docs for WDS but they didn't say to what)
- Don't run VLANs over WDS
- use a faster device

And to sum up every solution I've read in this thread, to save people reading the entire thread:
- enable NTP
- copy default security profile, then edit. Don't make new profiles
- only numbers and letters in pre-shared key
- retype pre-shared key
- make sure unique mac addresses
- unique names for wlan interfaces + restart
- change the group key timeout from 5 minutes to 1hour
- I fixed it with decreasing HW-retries parameter to 4
- The reason was a short WPA2-key. Changing it to a longer key solved the problem for me.
- What solved problem for me was changing WiFi password to 18 characters. (I saw multiple mentions of this)
- for delete this error I put only AES for crypt and delete TKIP
- My Problem was solved by changing the Channel Width form "20/40MHz Ce" to "20/40MHz eC.
- on my side, this bug appeared when one RB used an user-created security profile and the other edited default security profile...

MikeKulls · Sat Jul 16, 2022 3:33 am

Stril - What was the length of original key? Minimums key length is 8 symbols and key length should not affect this (exchange timeout) in any way.

Mikrotik staff need to have a good look into this. I can 100% demonstrate it's a bug and not interference. For my device I had some mildly more complicated config, still only 1 page though when exported. This was giving me the error every few hours with a dropout. I did a blank config wipe and set the device up with absolutely minimal config. In my case I was using station bridge mode to another mikrotik, so it's quite minimal the number of connections. This 100% solved the problem and the connection has been rock solid overnight with absolutely zero entries added to the log. The links down counter for the wireless link has stayed flat on 0. Note that in either case the number of connections was minimal as this is a test environment. I realise this error can happen as a normal part of operation, but it most definitely also happens as part of a bug. The fact I can get a rock solid connection with some config demonstrates this is NOT an issue with interference.

Some additional info
- I only changed config on the station bridge side, config on the AP side is still the same.
- The mikrotiks have been given channel 6, all other APs have been moved to 1 and 11. I have no APs from neighbors
- I rebooted both devices after applying config and before running the test
- The device has literally not added a single log entry after the logs from the reboot

MikeKulls · Sun Jul 17, 2022 7:15 am

I've worked out what is causing this, in my case at least. I can 100% eliminate it and 100% reproduce it. I have 1 mikrotik providing the usual wifi/internet/dhcp etc and a second mikrotik as a wifi extender. The extender is using station bridge to the first AP and then I create a virtual AP on top of that with the same name as the first. Having clients connect to the second AP is what causes the problem. I presume it's just busy talking to the client when the key exchange request comes in and the key exchange times out. If I connect the clients to the second AP with a cable then the problem goes away 100% and the connection shows 0 drops over a 24 hr period. I have used it for work like this and been in Teams meetings and it works fine. With wireless clients connected it will give the key exchange error every few hours and drops out for short periods.

The solution unfortunately seems to be to use a second radio or second device for the wireless bridge. I presume mikrotik know about this which is why their Audience router has 3 radios. Mikrotik staff, can we have a fix for this? It seems more retries in some form would solve the problem. The link itself seems to be fine, it appears the key exchange timeout happens and then mikrotik drops the link. Or if this is a problem that is impossible to solve it would be nice to know. I have a third mikrotik I can use however this is running on solar/batteries so that would double my power usage.

babah · Fri Feb 17, 2023 7:10 pm

in my case (im using RB4011iGS+RM), it was caused by using the same channel. im on channel 11, and my neighbor suddenly changed to the same channel. then it started this "unicast key exchange timeout" issue. once his device moved to another channel, this issue was also gone.

slavko989 · Tue Oct 10, 2023 4:13 pm

UPDATE October 2023:

In my case, the problem was with TP LINK TL-WA850RE extender - with introduction of WPA3 support on it. It just couldn't connect to the Mikrotik because of errors. I bet it had something to do with standard wifi package, a bug of some sort related to the new WPA3 standard.

I didn't manage to solve it until one of the new versions of RouterOS came out.
At the time I was having issues with 7.1.1, but upgrading the router to a newer one, i can't really remember which one (just upgrade to the newest, at the point of writing this - 7.11.2) the problem was solved.

Another possible solution now in Oct 2023 is to use the newer "wifiwave2" wireless management package instead of the classic one if possible, it has proper WPA3 support but it is not needed.

However, do note that TP LINK TL-WA850RE range extender is a BAD one, and should be avoided because of its buggy firmware updates. The newest TP LINK firmware (TL-WA850RE(EU)_V7_1.0.12 Build 221109 released on 2023-02-07) introduced an entirely new problem - its DHCP server somehow messes with Mikrotik's, even when Authoritative mode is set, so devices in Mikrotik network often connect to the network, but fail to get a valid IP from Mikrotik's DHCP Server. Which is ridiculous really, so if you want to use that specific extender device, please use it with the oldest factory shipped firmware, DO NOT UPGRADE, because of some cheap reason TP LINK doesn't let you downgrade.

The permanent fix for issues introduces to Mikrotik network is to just throw TP LINK TL-WA850RE in the garbage.

Who is online