What is the key update interval (rekey-interval) between a client and a Wi-Fi access point?

The WPA Rekey Interval (also called Group Key Update Interval or WPA Group Rekey Interval) is the time in seconds between WPA/WPA2 encryption key renewals. This mechanism is used to increase security. At the set interval, the Wi-Fi access point will generate a new temporary key for all connected devices. Once the key has been distributed, the network begins to operate with the new security settings.

From KeeneticOS 3.4, a re-keying procedure is automatically enabled at 24-hour intervals (86400 seconds; for most cases, this value is optimal). Previously, from version 2.15 to 3.3, this value was 1 hour (3600 seconds).

But if necessary, this value can be changed via the command-line interface (CLI) of the router:

interface WifiMaster0 rekey-interval  for the 2.4 GHz network

interface WifiMaster1 rekey-interval for the 5 GHz network


The rekey-interval value can be taken from 0 to 4194303 (seconds); the default setting is 86400 seconds (24 hours or 1 day).
The rekey-interval option periodically runs the GTK 2-way handshake process to update the group key in WPA2 for all Wi-Fi client devices connected to the access point. Typically, key renegotiation proceeds without disconnecting and reconnecting devices and, consequently, without loss of connectivity or any delay. But there are Wi-Fi clients who fail to go through this procedure without reconnecting, which can result in a brief connection interruption or a delay of several seconds and cause traffic-delay-sensitive Voice over IP (VoIP) or Digital Television (IPTV) services to fail. Usually, this is due to a feature of the Wi-Fi client itself or the radio conditions if the client is far enough away from the Keenetic.

In the router's system log (on the Diagnostics page), you can see messages when some device failed to negotiate the key and had to go through the reconnection procedure. For example:

[I] Apr 5 11:35:47 wmond: WifiMaster1/AccessPoint0: (MT76x2) STA(18:81:0e:6a:c2:36) set key done in WPA2/WPA2PSK. 
[I] Apr 5 11:35:47 wmond: WifiMaster1/AccessPoint0: (MT76x2) STA(00:0f:00:75:27:40) set key done in WPA2/WPA2PSK.
[I] Apr 5 11:35:47 wmond: WifiMaster1/AccessPoint0: (MT76x2) STA(34:e1:2d:b7:c3:61) set key done in WPA2/WPA2PSK.
[I] Apr 5 11:35:47 wmond: WifiMaster1/AccessPoint0: (MT76x2) STA(d0:4f:7e:62:c8:a3) set key done in WPA2/WPA2PSK.
[I] Apr 5 11:35:48 wmond: WifiMaster1/AccessPoint0: (MT76x2) STA(04:d6:aa:8c:c3:75) set key done in WPA2/WPA2PSK.
[I] Apr 5 11:35:49 wmond: WifiMaster0/AccessPoint0: (MT7628) STA(d0:d2:b0:13:6b:fe) group key handshaking timeout.
[I] Apr 5 11:35:49 wmond: WifiMaster0/AccessPoint0: (MT7628) STA(d0:d2:b0:13:6b:fe) had deauthenticated by AP (reason: GTK 2-way handshake timeout).


In exceptional cases, key renegotiation can be deactivated using commands:

interface WifiMaster0 no rekey-interval — for the 2.4 GHz network

interface WifiMaster1 no rekey-interval — for the 5 GHz network


But we do not recommend deactivating the key renegotiation mechanism. To maintain a certain level of security, simply change the interval to, for example, 36 hours (129600 seconds). This can be done with the commands:

interface WifiMaster0 rekey-interval 129600  for the 2.4 GHz network

interface WifiMaster1 rekey-interval 129600  for the 5 GHz network


To save the settings, run the command:

system configuration save
Was this article helpful?

30 out of 32 found this helpful