Z-Wave security setup failing during inclusion

I recently have issues adding new z-wave devices in secure authentication mode using the Z-Wave JS UI. In between when this was working and when it was not, I did change from a Supervised install to an HA OS install, utilizing a full backup. Not sure if that’s relevant. I am using a Nortek HUSBZB-1 USB stick.

I have three identical devices (Inovelli VZW-31 switch): two were added previously and show “Highest Security: S2 Authenticated”, and one I just added, which shows “Highest Security: None”. I have tried including and excluding several times, all with the same result. During inclusion, I expect to see a setup screen where I can input the PIN on the switch, and I do believe I see it for a small fraction of a second, before the UI switches to an error, which reads:

“The device could not be added. ‘dsk’ option is only supported with inclusion_strategy=SECURITY_S2”

Inclusion will continue for a minute or two, though, according to the logs, showing this error before completing inclusion unauthenticated:

2025-01-07T22:02:22.456Z CNTRLR « [Node 055] Ignoring KEXSet because the DSK has not been verified yet
2025-01-07T22:02:31.796Z CNTRLR [Node 055] Security S2 bootstrapping failed: User rejected the DSK, entered an
invalid PIN or the interaction timed out.
2025-01-07T22:02:31.805Z DRIVER one or more queues busy
2025-01-07T22:02:31.815Z DRIVER » [Node 055] [REQ] [SendData]
│ transmit options: 0x25
│ callback id: 31
└─[Security2CCKEXFail]
reason: BootstrappingCanceled

I have not changed any settings in the Z-Wave JS add-on configuration or the Z-Wave integration configuration.

The two other devices that did include in S2 Authenticated mode still operate just fine, as does the rest of the network. And, I can control this new switch in Unauthenticated mode just fine as well. And I know I don’t need a wall switch to have security enabled necessarily, but I want to know if something is wrong with my set up in case I add a security-critical device later. I’ve also read that proximity of the device to the controller can matter for secure inclusion, but the device is right above (second floor) the controller (first floor closet), and one of the identical devices that securely included is much farther away.

Any ideas? I am on 2025.1.1. I have tried looking around for known issues like this, to no avail. Could switching install types have caused loss/change of authentication keys? If so, how could the existing securely included switches still be working?

3 Likes

Are you going into the advanced inclusion dialog and switching from Default to “Secure if possible”? Or are you scanning a QR code?

Hello,
I have the same behavior with 2 of my 6 Fibaro FGR-223 that were already included in S2 security mode in my previous home and in another home automation system that uses also “z-wave js”.
Today I move to HA and I can’t have access to my previous home automation system in order to test.
So I don’t know if the issue comes from the module itself or if it another source of problem?

On my side, yes and then I see the error message ‘dsk’ option is only supported with inclusion_strategy=SECURITY_S2 after a couple of minute the module is added in a unauthenticated mode.

On my side I need all those modules to be in S2 authenticated because:

  • those module are dedicated to roller shutter and garage door
  • and also z-wave associations are not compatible between S2 auth to S2 non-auth & S0

Any help or suggestion will be appreciated if you have some ideas or expertise.

Thank you

Hello,

I have the same issue:

dsk option is only supported with inclusion_strategy=SECURITY_S2

After couple of minute, it works without security.

I come from other soft (Jeedom, french dev) and this module worked well.

Where can i find “advanced inclusion dialog” to switch from Default to “Secure if possible” ?

For information, it’s working in secure mode when you scan the QRCode…

Having this issue too. Got 4 identical Shelly Wave 1PM Mini and started pairing them. The first one paired in secure mode and the rest is throwing the same “dsk” error during pairing. Tried unpairing and pairing again multiple times. Also tried manually selecting just the “Secure if available” pairing mode and that didn’t help.

The controller I’m using doesn’t support pairing through QR code.

I managed to consistently pair the 3 remaining devices in secure mode using this flow:

  1. Click How do you want to add your device in the add device dialog:

Screenshot 2025-01-23 at 11.18.26

  1. Select Secure if possible:

Screenshot 2025-01-23 at 11.18.30

  1. Leave all checkboxes selected and click Submit

Screenshot 2025-01-23 at 11.18.43

  1. Enter the pin

Screenshot 2025-01-23 at 11.18.49

1 Like

Tried what you suggested but I only have these options:

Leading to:

Controller is Zooz ZST39
Device is Zooz 800 Series Z-Wave Long Range Smart Plug ZEN04 800LR

I have plenty others on the network that paired just fine up till a month or so ago. No idea what happened or how I can roll it back :slight_smile:

2 Likes

If you are able to reproduce this problem, I would turn on integration debug logs and submit an issue to HA core, attaching the debug logs.

https://www.home-assistant.io/integrations/zwave_js/#how-do-i-access-the-z-wave-logs

https://github.com/home-assistant/core/issues/new/choose

I was having this same problem. I’m using Z-Wave JS UI. I’m not sure if others are using Z-Wave JS UI or not, but I’m starting to suspect this might be related to use of the JS UI instead of the built-in Z-Wave JS. What I did to fix was to add the device via the Z-Wave JS UI instead:

Open Z-Wave JS UI
Navigate to Control Panel
Click the blue button on the bottom right (the one with three dashes)
Click “Manage nodes” (green infinity button)
Inclusion → Next
Optionally assign Name/Location → Next
Select Default, Force Security → Next

Unfortunately, I didn’t save screenshots, but hopefully that gives enough hints. Please share if this works for others!

1 Like

Like @StephaneBro, I came from Jeedom home automation software too and on my side I finally solve this issue by including the z-wave devices into Jeedom again. The module have been added in S0 Legacy mode (like in HA, S2 auth don’t work these modules) so I had the same issue but I can see through Z-Wave JS implementation in Jeedom some values are not reseted like the consumption when I made the factory reset into these modules. I don’t know if it is normal behavior🤔


So I reset this value and factory reset the module:

After that I was able to add the module in S2 Authenticated mode with the code in HA :star_struck:

So I don’t know if I was lucky but it works on 4 modules. I assume this could be work directly from HA with Z-Wave JS UI by including in S0 the module, reseting the values, excluding the module, factory reset the module then try the S2 Authenticated inclusion.

My 2 cents…

This worked for me. Thank you!!

1 Like

Has anyone else been able to get S2 inclusion to work. I just started with HA and this is driving me bonkers, as I’d like to move my Z-Wave devices over from SmartThings. I am thinking I’ll need to submit an issue as suggested above. :frowning:

Half the nodes in my network (14/30) are included with S2. I never use HA for inclusion, only ZUI.

1 Like