# WiFi suddenly stopped working [solved]

## CrouchingTigger

Hello everyone,

Something funky seems to have happened to my WiFi connection. I'm not sure, but it might be connected to the recent update of wpa_supplicant. Since a reboot, there are no networks available/visible in plasma-nm and NetworkManager logs:

```
<info>  [1647619409.0911] device (wlo1): supplicant interface state: interface_disabled -> inactive
```

Kernel module and firmware are loaded:

```
stellar ~ # dmesg |grep iwlwifi

[    4.094861] iwlwifi 0000:00:14.3: enabling device (0000 -> 0002)

[    4.096734] Loading firmware: iwlwifi-9000-pu-b0-jf-b0-46.ucode

[    4.097762] iwlwifi 0000:00:14.3: WRT: Overriding region id 0

[    4.097764] iwlwifi 0000:00:14.3: WRT: Overriding region id 1

[    4.097765] iwlwifi 0000:00:14.3: WRT: Overriding region id 2

[    4.097765] iwlwifi 0000:00:14.3: WRT: Overriding region id 3

[    4.097766] iwlwifi 0000:00:14.3: WRT: Overriding region id 4

[    4.097767] iwlwifi 0000:00:14.3: WRT: Overriding region id 6

[    4.097767] iwlwifi 0000:00:14.3: WRT: Overriding region id 8

[    4.097768] iwlwifi 0000:00:14.3: WRT: Overriding region id 9

[    4.097768] iwlwifi 0000:00:14.3: WRT: Overriding region id 10

[    4.097769] iwlwifi 0000:00:14.3: WRT: Overriding region id 11

[    4.097770] iwlwifi 0000:00:14.3: WRT: Overriding region id 15

[    4.097770] iwlwifi 0000:00:14.3: WRT: Overriding region id 16

[    4.097771] iwlwifi 0000:00:14.3: WRT: Overriding region id 18

[    4.097772] iwlwifi 0000:00:14.3: WRT: Overriding region id 19

[    4.097772] iwlwifi 0000:00:14.3: WRT: Overriding region id 20

[    4.097773] iwlwifi 0000:00:14.3: WRT: Overriding region id 21

[    4.097773] iwlwifi 0000:00:14.3: WRT: Overriding region id 28

[    4.097891] iwlwifi 0000:00:14.3: loaded firmware version 46.fae53a8b.0 9000-pu-b0-jf-b0-46.ucode op_mode iwlmvm

[    4.153808] iwlwifi 0000:00:14.3: Detected Intel(R) Wireless-AC 9560 160MHz, REV=0x318

[    4.202330] iwlwifi 0000:00:14.3: base HW address: 50:76:af:a7:60:7a

[    4.275613] iwlwifi 0000:00:14.3 wlo1: renamed from wlan0
```

The interface is unblocked:

```
stellar ~ # rfkill list

0: hci0: Bluetooth

        Soft blocked: no

        Hard blocked: no

1: phy0: Wireless LAN

        Soft blocked: no

        Hard blocked: no
```

Manual scanning is unsuccessful:

```
stellar ~ # iwlist wlo1 scan

wlo1      Interface doesn't support scanning.
```

Any ideas?Last edited by CrouchingTigger on Sat Mar 19, 2022 12:55 pm; edited 1 time in total

----------

## jburns

I had the same problem with WiFi not working after the update, but I could see other routers when I looked for available routers just not mine.  I used my phone's hot spot to connect to connect to the internet through the router.  My solution was to replace my router that supported the ac standard with one that supported the ax standard.

----------

## Jean-Paul

Hi,

I ran into the same error yesterday. no wifi after update to wpa_supplicant-2.10-r1. 

BTW we have the same nic, maybe that mean something.

```

dmesg |grep iwlwifi

[    2.003004] iwlwifi 0000:00:14.3: enabling device (0000 -> 0002)

[    2.004747] Loading firmware: iwlwifi-9000-pu-b0-jf-b0-46.ucode

[    2.006413] iwlwifi 0000:00:14.3: WRT: Overriding region id 0

[    2.006417] iwlwifi 0000:00:14.3: WRT: Overriding region id 1

[    2.006419] iwlwifi 0000:00:14.3: WRT: Overriding region id 2

[    2.006420] iwlwifi 0000:00:14.3: WRT: Overriding region id 3

[    2.006421] iwlwifi 0000:00:14.3: WRT: Overriding region id 4

[    2.006422] iwlwifi 0000:00:14.3: WRT: Overriding region id 6

[    2.006423] iwlwifi 0000:00:14.3: WRT: Overriding region id 8

[    2.006424] iwlwifi 0000:00:14.3: WRT: Overriding region id 9

[    2.006425] iwlwifi 0000:00:14.3: WRT: Overriding region id 10

[    2.006427] iwlwifi 0000:00:14.3: WRT: Overriding region id 11

[    2.006428] iwlwifi 0000:00:14.3: WRT: Overriding region id 15

[    2.006429] iwlwifi 0000:00:14.3: WRT: Overriding region id 16

[    2.006430] iwlwifi 0000:00:14.3: WRT: Overriding region id 18

[    2.006432] iwlwifi 0000:00:14.3: WRT: Overriding region id 19

[    2.006433] iwlwifi 0000:00:14.3: WRT: Overriding region id 20

[    2.006434] iwlwifi 0000:00:14.3: WRT: Overriding region id 21

[    2.006436] iwlwifi 0000:00:14.3: WRT: Overriding region id 28

[    2.006712] iwlwifi 0000:00:14.3: loaded firmware version 46.fae53a8b.0 9000-pu-b0-jf-b0-46.ucode op_mode iwlmvm

[    2.053888] iwlwifi 0000:00:14.3: BIOS contains WGDS but no WRDS

[    2.053897] iwlwifi 0000:00:14.3: Detected Intel(R) Wireless-AC 9560 160MHz, REV=0x318

```

I found this issue in the journal

```

journalctl -r | grep wpa_supplicant

Mär 17 15:26:04 thinkpad wpa_supplicant[498]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.BSS dbus_property=RSN getter failed

Mär 17 15:26:04 thinkpad wpa_supplicant[498]: dbus: Failed to construct signal

Mär 17 15:26:04 thinkpad wpa_supplicant[498]: dbus: wpa_dbus_get_object_properties: failed to get object properties: (org.freedesktop.DBus.Error.Failed) failed to parse RSN IE

Mär 17 15:26:04 thinkpad wpa_supplicant[498]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.BSS dbus_property=RSN getter failed

```

There are a few pages on google, but there was nothing useful about the error.

I initially masked wpa_supplicant-2.10-r1.

----------

## CrouchingTigger

 *Jean-Paul wrote:*   

> Hi,
> 
> I ran into the same error yesterday. no wifi after update to wpa_supplicant-2.10-r1. 
> 
> BTW we have the same nic, maybe that mean something.
> ...

 

According to the changelog some unsed patches were removed in 2.10-r1. Guess I'll mask and rollback, too.

----------

## Gentlenoob

Hi all,

I also had troubles after todays wpa_supplicant upgrade from 2.10 to 2.10-r1

```

hp14ma1 ~ # /etc/init.d/net.wlo1 start

 * Bringing up interface wlo1

 *   Starting wpa_supplicant on wlo1 ...

Successfully initialized wpa_supplicant

Line 10: invalid cipher 'CCMP TKIP'.

Line 10: failed to parse pairwise 'CCMP TKIP'.

Line 11: invalid cipher 'CCMP TKIP'.

Line 11: failed to parse group 'CCMP TKIP'.

Line 12: failed to parse network block.

Line 24: invalid cipher 'CCMP TKIP'.

Line 24: failed to parse pairwise 'CCMP TKIP'.

Line 25: invalid cipher 'CCMP TKIP'.

Line 25: failed to parse group 'CCMP TKIP'.

Line 33: failed to parse network block.

Failed to read or parse configuration '/etc/wpa_supplicant/wpa_supplicant.conf'.

: CTRL-EVENT-DSCP-POLICY clear_all

 *   start-stop-daemon: failed to start `/usr/sbin/wpa_supplicant'                                                                      [ !! ]

 * ERROR: net.wlo1 failed to start

```

I got it working again by removing the offending lines in /etc/wpa_supplicant/wpa_supplicant.conf, i.e. lines like

```

   pairwise=CCMP TKIP

   group=CCMP TKIP

```

I had those lines in for ages and don't remember why, just once it seemed necessary to me, obviously.

Downgrading was my first thought, but it seems that 2.10 isn't in the tree anymore, which I find discomforting. May I ask for some more relaxed removal policy, please?

Cheers, Ralph

----------

## CrouchingTigger

 *Gentlenoob wrote:*   

> 
> 
> I also had troubles after todays wpa_supplicant upgrade from 2.10 to 2.10-r1
> 
> [...]
> ...

 

In my case there was no failure to start wpa_supplicant and the interface was up yet remained inactive ("WARNING: net.wlo1 has started, but is inactive") but then again out of offending lines I only have "pairwise=CCMP" in my wpa_supplicant.conf.

 *Gentlenoob wrote:*   

> 
> 
> Downgrading was my first thought, but it seems that 2.10 isn't in the tree anymore, which I find discomforting. May I ask for some more relaxed removal policy, please?
> 
> 

 

For now, I got around the issue by downloading the missing ebuild/patches from gitweb.gentoo.org and emerging 2.10 from a local repo.

----------

## unheatedgarage

Also had the same problem. For now I switched back to net-wireless/iwd.

In my case I didn't notice the problem until a day after the update, after rebooting -- all my systems were affected -- thankfully I remembered that wpa_supplicant had been recently updated.

Glad to see I'm not the only one with the problem.

----------

## jburns

A possible workaround is to build wpa_supplicant with the tkip USE flag.  The default was tkip enabled until 2.10-r1 where the default was changed to disabled.

----------

## houtworm

 *jburns wrote:*   

> A possible workaround is to build wpa_supplicant with the tkip USE flag. 

 

Yeah! That works, thank you!!

I did cost me a day of trying until I downgraded to 2,9 and my wifi started working again, but with tkip version 2.10 also works  :Smile: 

----------

## paluszak

 *jburns wrote:*   

> A possible workaround is to build wpa_supplicant with the tkip USE flag.  The default was tkip enabled until 2.10-r1 where the default was changed to disabled.

 

Kudoz, I have an old router in my cabin and it's been working flawlessly for years so I'm reluctant to replace it. My media center suddenly stopped connecting to wifi after update and the culprit was removal of default TKIP support. Re-emerging wpa_supplicant with tkip flag enabled solved the problem.

----------

## CrouchingTigger

 *jburns wrote:*   

> A possible workaround is to build wpa_supplicant with the tkip USE flag.  The default was tkip enabled until 2.10-r1 where the default was changed to disabled.

 

Thank you, jburns. Marking the thread as solved.

----------

## MFG080xc0

 *jburns wrote:*   

> A possible workaround is to build wpa_supplicant with the tkip USE flag.

 

Had the same issue after updating and rebooting, thank you for the fix.

----------

## devsk

This begs the question: Why did the dev decide to do this default switch with an -r1 update without a NEWS item which could flash this?

All the folks who only have TKIP support in their routers will fail to connect, leaving them no resort to recover (how do you download the older ebuild if your wifi is down?).

Changes like this need to be thought out and announced so that folks know that the breakage is coming! Dev's concern for security is appreciated but a heads up NEWS item would be too!

----------

## jburns

The problem was not caused by the router only having TKIP support although that would be a problem.  One of the solutions was to disable TKIP support in /etc/wpa_supplicant/wpa_supplicant.conf. The problem seems to also be related to using the iwlwifi driver.

The problem could be caused by 1. wpa_supplicant saying it supports TKIP when it does  not and  2. The iwlwifi driver not being able to handle the case where wpa_supplicant says it supports TKIP when it does not support it.  The problem is also related to the router capabilities.  I solved my problem by replacing my 802.11ac router with a 802.11ax router. Befor I replaced the router I connected to the internet via a hot spot on my phone which supports 802.11ax which connected to my router.

----------

## devsk

Yeah, there are several pieces involved in making the wifi communication happen. That's why we can't switch a piece off unilaterally! Taking tkip support away from wpa_supplicant without announcing it first was a bad idea!

I would have liked not needing to troubleshoot my kernel, drivers, recent firmware package update, router etc. Took a long time! If there was a news item for it, it would have saved me half day's worth of reverting and fiddling with different pieces.

----------

## Gentlenoob

Seconded.

Plus repeating my plea for some less strict removal policy. My knee-jerk reaction to sudden breakage is reverting back, which wasn't easily possible here, as the working version was gone (and I would have to read about local repos, git etc. first).

Cheers, Ralph

----------

## Hu

I think emerge --usepkgonly =wpa_supplicant-2.10 should have been able to reinstall a binpkg of the older version, even without the ebuild.

I'm not surprised that TKIP was changed to default to disabled.  According to equery use, it was deprecated in 2009.

As far as asking for a different removal policy, are you sure that the relevant developer(s) are even reading this thread?  If not, it doesn't matter what you ask them to do.  They'll never know you asked.  :Smile: 

----------

## Gentlenoob

I'll try to remember that option, but if I'm not mistaken, this only works if a binpkg is available, which I think it wasn't in my case. But the even simpler emerge =wpa_supplicant-2.10 should have done the trick, if ebuild (+ distfiles) still there.

pre-2009 sounds about right for my 1st wifi attempts. The router from these days was replaced 3y ago, with no apparent hiccups.

What's a better place to ask for a more recovery-friendly removal policy? Keeping 1 - 2 older versions doesn't seem too unreasonable to me, at least for more critical system stuff. I even vaguely remember having seen discussions on such issues? Any hints?

Cheers, Ralph

----------

## cavernico

You can downgrade to 2.9 emerging from libressl overlay and problem is fix. Also enabling the use flag mentioned above also works for me.

----------

## Gentlenoob

sorry, if I didn't make that clear, the problem is fixed for me already. I've also set the tkip useflag now, just in case I'll run into some old router somewhere.

I was just bitching a bit since this was the 1st time with Gentoo that I wasn't able to revert easily to some working state (if I remember correctly).

Cheers, Ralph

----------

## ese002

 *Hu wrote:*   

> I think emerge --usepkgonly =wpa_supplicant-2.10 should have been able to reinstall a binpkg of the older version, even without the ebuild.
> 
> I'm not surprised that TKIP was changed to default to disabled.  According to equery use, it was deprecated in 2009.
> 
> 

 

I'm sort of surprised, given that the example config in the wiki for wpa_supplicant still uses TKIP and does not emphasize that a use change is needed to make it work. https://wiki.gentoo.org/wiki/Wpa_supplicant

The man page examples also use tkip.

If tkip was deprecated in wpa_supplicant in 2009, shouldn't the documentation have been updated before tkip became disabled by default?  Granted, they only had 13 years....

----------

## Hu

The deprecation note is in equery use output, which makes it the domain of the Gentoo maintainer.  The Wiki is community-maintained, and the Gentoo maintainer may or may not even read that page.  The manual pages are maintained by upstream, which may or may not be the same group that maintains the Gentoo package.

According to Wikipedia, in 2009, IEEE resolved to deprecate TKIP.  In 2012, a standard revision formally deprecated it.

Yes, the documentation should be updated accordingly.  However, I see nothing in this thread to lead me to believe that the person who changed the default on the USE flag is the documentation maintainer for any of the documentation you cite.  The people who maintain those documentation sources could be advised to add a deprecation note.

----------

## devsk

Documentation gets ignored most of the time. I think this kind of change is best suited for a news item that appears in 'eselect news', a notification for which is shown at the end of each emerge. The tkip removal is EXACTLY what the news was designed for.

PS: I have always read the news items religiously because I know if I don't, pain follows.

----------

## ulcuber

 *jburns wrote:*   

> A possible workaround is to build wpa_supplicant with the tkip USE flag.  The default was tkip enabled until 2.10-r1 where the default was changed to disabled.

 

Thank you very much. So much old routers around

----------

## ese002

 *devsk wrote:*   

> Documentation gets ignored most of the time. I think this kind of change is best suited for a news item that appears in 'eselect news', a notification for which is shown at the end of each emerge. The tkip removal is EXACTLY what the news was designed for.
> 
> PS: I have always read the news items religiously because I know if I don't, pain follows.

 

Eselect news is important when existing installations need to be adjusted.  However, documentation should not be discounted.  People have been unnecessarily putting the tkip bomb in new configurations for 13 years following its depreciation.  Why?  Because the documentation told them to do that.  I count myself among them.  I cloned the recipe in the wiki in 2016, seven years after the tkip flag was deprecated.

----------

## grknight

 *ese002 wrote:*   

> Eselect news is important when existing installations need to be adjusted.  However, documentation should not be discounted.  People have been unnecessarily putting the tkip bomb in new configurations for 13 years following its depreciation.  Why?  Because the documentation told them to do that.  I count myself among them.  I cloned the recipe in the wiki in 2016, seven years after the tkip flag was deprecated.

 

FWIW, the wpa_supplicant man page echos the wiki for this setting as the default.

The real fix for everyone who is able to is to enter their router/AP's config and use AES instead of TKIP.  This has been available for devices in the last decade or so for the most part.

----------

## yayo

I agree with anyone else who is asking for a news post in such case.

----------

## bluenuht

TLDR; Had the same issue, came to same +tkip fix conclusion

<vent>

I have 500 lines of notes trying to diagnose this.

6 kernel rebuilds

a custom wifi driver hand built

various hand built from tarball wpa_supplicants

not to mention the trip hazard while WiFi was down, when I had to use a 10ft Ethernet cable

I cannot count the hours spent on this.

</vent>

i will lodge a bug with upstream directly

----------

## Jeff132312342q4323

 *bluenuht wrote:*   

> TLDR; Had the same issue, came to same +tkip fix conclusion

 

Thank you this USE flag fixed it for me, I was updating my entire system and was not aware that this USE flag was needed. 

But for some reason without the USE flag, I was still able to connect to my personal hotspot, I guess that is a bit strange as I was not able to connect to my home wifi but my personal hotspot. 

But anyways that is now fixed and I have updated entire system, and also upgraded to  5.17.0-gentoo-x86_64 kernel

----------

## AstroFloyd

TKIP appears to be needed for my five-year old modem/ap, so a news message would have been appreciated.

----------

## Hu

 *Jeff132312342q4323 wrote:*   

> But for some reason without the USE flag, I was still able to connect to my personal hotspot, I guess that is a bit strange as I was not able to connect to my home wifi but my personal hotspot. 

 Your hotspot probably offers a newer and more secure protocol that succeeded TKIP. *AstroFloyd wrote:*   

> TKIP appears to be needed for my five-year old modem/ap, so a news message would have been appreciated.

 Is the AP unable to negotiate better at all, or is it merely configured to offer only TKIP currently?  In the latter case, a configuration change of the AP would enable it to use a better protocol.  Also, for the benefit of future readers, it would be helpful to mention the make and model of the bad AP, so that other readers can know they are likewise impacted.

----------

## AstroFloyd

[quote="Hu"] *Jeff132312342q4323 wrote:*   

> Is the AP unable to negotiate better at all, or is it merely configured to offer only TKIP currently?  In the latter case, a configuration change of the AP would enable it to use a better protocol.  Also, for the benefit of future readers, it would be helpful to mention the make and model of the bad AP, so that other readers can know they are likewise impacted.

 Fair enough.  

However, I'm no expert in this matter.  The device calls itself MediaAccess TG789bvn and lists Security Mode: WPA-PSK, WPA-PSK Encryption: TKIP&AES, WPA-PSK Version: WPA&WPA2.  The term AES does not occur in the wpa_supplicant.conf man page, so I'm guessing its not an alternative to TKIP.  

In the AP, I can only change the security mode, which is currently "WPA-PSK + WPA2-PSK" but can be changed to "Disabled", "WEP 64 bit", "WEP 128 bit", "WPA-PSK", "WPA2-PSK", "WPA", "WPA2" or "WPA + WPA2".  Again, nowhere I can (de)select TKIP or an alternative.

In my wpa_supplicant.conf, all entries have lines like "pairwise=CCMP TKIP" and "group=CCMP TKIP", so I checked the man page but there is no example line that does not contain TKIP, so I'm not surprised that many people use it by default.

----------

## mscili

Thanks for this thread... I had the same problem (suddenly only fewer wireless access points available in NetworkManager, my mobile phone's hotspot working, my home router not appearing anymore). My home router was set to "WPA/WPA2 Personal" security, which only works with the tkip use flag activated in wpa_supplicant. If I change the router setting to only "WPA2 Personal", then TKIP is not needed anymore (and it works without the use flag on wpa_supplicant). It looks like the switch from TKIP to CCMP happens in an "hidden way" somewhere, hence the confusion.

I'll keep the tkip use flag activated even if I'm not using TKIP at home now - it may be easily needed to use my laptop away from home...

----------

## SlashRhumSlashNeisson

Hi,

i've just change my wpa_supplicant.conf like this:

```

ssid="xxxxxxxxxxxxx"

psk=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

scan_ssid=1

proto=RSN

key_mgmt=WPA-PSK

group=CCMP

pairwise=CCMP

priority=5

```

wpa_supplicant use flag:

```
[I] net-wireless/wpa_supplicant

     Available versions:  2.10-r1 **9999*l {ap broadcom-sta +crda dbus eap-sim eapol-test fasteap +fils +hs2-0 macsec +mbo +mesh p2p privsep ps3 qt5 readline selinux smartcard tdls tkip uncommon-eap-types wep wimax wps}

     Installed versions:  2.10-r1(11:03:38 27/03/2022)(crda dbus fils hs2-0 mbo mesh qt5 readline -ap -broadcom-sta -eap-sim -eapol-test -fasteap -macsec -p2p -privsep -ps3 -selinux -smartcard -tdls -tkip -uncommon-eap-types -wep -wimax -wps)

     Homepage:            https://w1.fi/wpa_supplicant/

     Description:         IEEE 802.1X/WPA supplicant for secure wireless transfers

```

My router/AP's config use AES instead of TKIP.

----------

## destroyedlolo

 *Hu wrote:*   

> 
> 
> According to Wikipedia, in 2009, IEEE resolved to deprecate TKIP.  In 2012, a standard revision formally deprecated it.
> 
> 

 

The problem is there are lot of old routers around that CAN'T be udated : as example, my Internet Provided gave me a router (FreeBox V5) build in ... 2005 and it will charge me if I want a newer model (or the newer has less capabilities).

So I second the fact such changes have to be advertised   :Wink: 

----------

## MidnightCheese

Removing the pairwise and grouptkip lines from the config helped me get back online as well. Thanks for solving this.

----------

## dimpase

 *ulcuber wrote:*   

>  *jburns wrote:*   A possible workaround is to build wpa_supplicant with the tkip USE flag.  The default was tkip enabled until 2.10-r1 where the default was changed to disabled. 
> 
> Thank you very much. So much old routers around

 

I got bitten by this just yesterday (and, possibly, earlier - my eduroam stopped working with wpa_supplicant v2.10 too)

Filed https://forums.gentoo.org/viewtopic-t-1147741.html

----------

## Hu

 *dimpase wrote:*   

> Filed https://forums.gentoo.org/viewtopic-t-1147741.html

 That appears to be a URL to this thread.  Did you mean wpa_supplicant version 2.10 needs USE="tkip"?  If so, I doubt from the content of its comment #0 that it will go anywhere.  TKIP has been deprecated for more than 10 years, and was disabled by default for good reason.  I notice that the maintainers already have a compromise, in this warning in the postinst:

```
   if ! use tkip; then

      ewarn "WARNING: You are building with TKIP support disabled, which is recommended since"

      ewarn "this protocol is deprecated and insecure.  If you still need to connect to"

      ewarn "TKIP-enabled networks, you may turn this flag back on.  With this flag off,"

      ewarn "TKIP-enabled networks, including mixed mode TKIP/AES-CCMP will not even show up"

      ewarn "as available.  If your network is missing you may wish to USE=tkip"

   fi
```

A better solution for many networks might be to change wpa_supplicant so that mixed mode TKIP/AES-CCMP networks are offered and used in a non-TKIP mode.

----------

