#18966: WPA-EAP TLS broken on Buffalo WZR-HP-AG300H/ath9k - workaround included
--------------------------------+-----------------------------------
Reporter: alexander.wetzel@… | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: kernel | Version: Barrier Breaker 14.07
Keywords: athk9 eap |
--------------------------------+-----------------------------------
I'm using EAP-TLS on my Buffalo WZR-HP-AG300H with connections problems
for at least one year and at least up to 14.07 (r42625). I've tracked the
issue finally down and it looks now to be a problem with ath9k driver or
firmware.
'''How it looks like from a user perspective:'''
With EAP-TLS, the initial connection works fine, Some time later (n*60min)
the connection freezes while still claiming to be connected. But only if
the connection is not idle at that moment. You have to transfer data above
an as yet undetermined threshold to be hit by the bug or maybe some
packets at a very bad moment.
A simple ping e.g. is not sufficient to trigger the issue, downloading
something with around 2.5MiB/s on the other hand triggers it for sure.
There is also noting in the logs at a normal log level on either the
router or the client and even with the highest debug settings it looks
still fine.
'''Looking a bit closer:'''
When the bug hits, the client will be unable to reach any IP and after
some minutes even the ARP entry for the wlan router expires. Tcpdump shows
no data incoming on the client, you see only the outgoing packets.
Running tcpdump on the wlan router on the other hand will still show both,
incoming and outgoing packets. Disconnecting and reconnecting to the wlan
will fix the issue. (If you are really patient, waiting one hour will also
fix it.)
Trying the same with WPA-PSK (on a separate SID on the same card) works
perfectly, I can't reproduce the issue in this mode!
I did open an linux kernel bug for that, assuming it to be an issue with
the iwlwifi driver of my client, see
[https://bugzilla.kernel.org/show_bug.cgi?id=92451]
You find quite some more information of what I've tested there, including
a wlan capture from a monitoring station and a better description of what
I have done.
'''What's really going on:'''
With the feedback from the ticket that this is (probably) a security issue
and the fact that another client using a different wlan card had the same
issue it was getting obvious that this can't be an iwlwifi driver problem.
Also a closer look showed, that the connection was not failing around the
rekey but exactly at the re-key, one hour after the initial connect.
So a re-key is somehow preventing the client to decrypt the packets from
the router and the network connection freezes.
As confirmation it's possible to reproduce the issue much faster by
changing the default re-key interval to e.g. 5min:
{{{
uci set wireless.@wifi-iface[0].eap_reauth_period=300"
uci commit
reboot
}}}
With the shorter re-key it's much simpler to debug the problem. (I did
verify that the pattern stays the same, only now with 5min intervals
instead taking 1h with the default settings. And yes, you still must have
a download running to trigger it during the re-key).
'''The workaround:'''
The real breakthrough was setting the "nohwcrypt=1" module parameter for
ath9k.
/etc/modules.d/ath9k:
{{{
ath9k nohwcrypt=1
}}}
and reboot the router.
With this setting I'm now unable to reproduce the issue, strongly
indicating that either the driver or the firmware for the wlan card is
having an issue with EAP re-keys during load.
(Since the firmware seems to be "included" in the card I could find no way
to try different firmware images for this card.)
----
Here some times for the attached logs, roughly one second exact and with a
download running when possible with roughly 2.5MiB/s and the re-key
interval set to 5min:
{{{
21:46:00 initial connect
21:51:02 control ping fails
21:56:02 ping resumes
}}}
Some router details:
All tests were done with 802.11n complete disabled on the router.
Here is the current config for wireless:
{{{
wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.macaddr=10:6f:3f:0e:33:3c
wireless.radio0.hwmode=11ng
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.country=DE
wireless.radio0.channel=9
wireless.radio0.distance=10
wireless.radio0.txpower=20
wireless.radio0.log_level=0
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device=radio0
wireless.@wifi-iface[0].mode=ap
wireless.@wifi-iface[0].network=WLAN
wireless.@wifi-iface[0].ssid=mordor
wireless.@wifi-iface[0].encryption=wpa2+ccmp
wireless.@wifi-iface[0].auth_server=127.0.0.1
wireless.@wifi-iface[0].auth_port=1812
wireless.@wifi-iface[0].auth_secret=<deleted>
wireless.@wifi-iface[0].acct_server=127.0.0.1
wireless.@wifi-iface[0].acct_port=1813
wireless.@wifi-iface[0].acct_secret=<deleted>
wireless.@wifi-iface[0].eap_reauth_period=300
wireless.@wifi-iface[2]=wifi-iface
wireless.@wifi-iface[2].device=radio0
wireless.@wifi-iface[2].mode=ap
wireless.@wifi-iface[2].ssid=mordor-g
wireless.@wifi-iface[2].encryption=psk2+ccmp
wireless.@wifi-iface[2].key=<deleted>
wireless.@wifi-iface[2].network=GWLAN
}}}
The second wlan card (5GHz)is disabled and unused.
lspci -v
{{{
00:11.0 Network controller: Qualcomm Atheros AR922X Wireless Network
Adapter (rev 01)
Subsystem: Qualcomm Atheros Device a097
Flags: bus master, 66MHz, medium devsel, latency 168, IRQ 40
Memory at 10000000 (32-bit, non-prefetchable) [size=64K]
Capabilities: [44] Power Management version 2
Kernel driver in use: ath9k
00:12.0 Network controller: Qualcomm Atheros AR922X Wireless Network
Adapter (rev 01)
Subsystem: Qualcomm Atheros Device a096
Flags: bus master, 66MHz, medium devsel, latency 168, IRQ 41
Memory at 10010000 (32-bit, non-prefetchable) [size=64K]
Capabilities: [44] Power Management version 2
Kernel driver in use: ath9k
}}}
--
Ticket URL: <https://dev.openwrt.org/ticket/18966>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
