Z-Wave security setup failing during inclusion

trnovak · January 7, 2025, 11:46pm

I recently have issues adding new z-wave devices in secure authentication mode using the Z-Wave JS UI. In between when this was working and when it was not, I did change from a Supervised install to an HA OS install, utilizing a full backup. Not sure if that’s relevant. I am using a Nortek HUSBZB-1 USB stick.

I have three identical devices (Inovelli VZW-31 switch): two were added previously and show “Highest Security: S2 Authenticated”, and one I just added, which shows “Highest Security: None”. I have tried including and excluding several times, all with the same result. During inclusion, I expect to see a setup screen where I can input the PIN on the switch, and I do believe I see it for a small fraction of a second, before the UI switches to an error, which reads:

“The device could not be added. ‘dsk’ option is only supported with inclusion_strategy=SECURITY_S2”

Inclusion will continue for a minute or two, though, according to the logs, showing this error before completing inclusion unauthenticated:

2025-01-07T22:02:22.456Z CNTRLR « [Node 055] Ignoring KEXSet because the DSK has not been verified yet
2025-01-07T22:02:31.796Z CNTRLR [Node 055] Security S2 bootstrapping failed: User rejected the DSK, entered an
invalid PIN or the interaction timed out.
2025-01-07T22:02:31.805Z DRIVER one or more queues busy
2025-01-07T22:02:31.815Z DRIVER » [Node 055] [REQ] [SendData]
│ transmit options: 0x25
│ callback id: 31
└─[Security2CCKEXFail]
reason: BootstrappingCanceled

I have not changed any settings in the Z-Wave JS add-on configuration or the Z-Wave integration configuration.

The two other devices that did include in S2 Authenticated mode still operate just fine, as does the rest of the network. And, I can control this new switch in Unauthenticated mode just fine as well. And I know I don’t need a wall switch to have security enabled necessarily, but I want to know if something is wrong with my set up in case I add a security-critical device later. I’ve also read that proximity of the device to the controller can matter for secure inclusion, but the device is right above (second floor) the controller (first floor closet), and one of the identical devices that securely included is much farther away.

Any ideas? I am on 2025.1.1. I have tried looking around for known issues like this, to no avail. Could switching install types have caused loss/change of authentication keys? If so, how could the existing securely included switches still be working?

freshcoast · January 8, 2025, 12:07am

Are you going into the advanced inclusion dialog and switching from Default to “Secure if possible”? Or are you scanning a QR code?

jeanrobertjs · January 13, 2025, 9:21pm

Hello,
I have the same behavior with 2 of my 6 Fibaro FGR-223 that were already included in S2 security mode in my previous home and in another home automation system that uses also “z-wave js”.
Today I move to HA and I can’t have access to my previous home automation system in order to test.
So I don’t know if the issue comes from the module itself or if it another source of problem?

On my side, yes and then I see the error message ‘dsk’ option is only supported with inclusion_strategy=SECURITY_S2 after a couple of minute the module is added in a unauthenticated mode.

On my side I need all those modules to be in S2 authenticated because:

those module are dedicated to roller shutter and garage door
and also z-wave associations are not compatible between S2 auth to S2 non-auth & S0

Any help or suggestion will be appreciated if you have some ideas or expertise.

Thank you

StephaneBro · January 22, 2025, 4:03pm

Hello,

I have the same issue:

dsk option is only supported with inclusion_strategy=SECURITY_S2

After couple of minute, it works without security.

I come from other soft (Jeedom, french dev) and this module worked well.

Where can i find “advanced inclusion dialog” to switch from Default to “Secure if possible” ?

For information, it’s working in secure mode when you scan the QRCode…

rchl · January 23, 2025, 10:03am

Having this issue too. Got 4 identical Shelly Wave 1PM Mini and started pairing them. The first one paired in secure mode and the rest is throwing the same “dsk” error during pairing. Tried unpairing and pairing again multiple times. Also tried manually selecting just the “Secure if available” pairing mode and that didn’t help.

The controller I’m using doesn’t support pairing through QR code.

rchl · January 23, 2025, 10:24am

I managed to consistently pair the 3 remaining devices in secure mode using this flow:

Click How do you want to add your device in the add device dialog:

Screenshot 2025-01-23 at 11.18.26

Select Secure if possible:

Screenshot 2025-01-23 at 11.18.30

Leave all checkboxes selected and click Submit

Screenshot 2025-01-23 at 11.18.43

Enter the pin

Screenshot 2025-01-23 at 11.18.49

zjpleau · January 26, 2025, 5:07pm

Tried what you suggested but I only have these options:

Leading to:

Controller is Zooz ZST39
Device is Zooz 800 Series Z-Wave Long Range Smart Plug ZEN04 800LR

I have plenty others on the network that paired just fine up till a month or so ago. No idea what happened or how I can roll it back

freshcoast · January 26, 2025, 5:38pm

If you are able to reproduce this problem, I would turn on integration debug logs and submit an issue to HA core, attaching the debug logs.

https://www.home-assistant.io/integrations/zwave_js/#how-do-i-access-the-z-wave-logs

https://github.com/home-assistant/core/issues/new/choose

dereitz · January 26, 2025, 10:21pm

I was having this same problem. I’m using Z-Wave JS UI. I’m not sure if others are using Z-Wave JS UI or not, but I’m starting to suspect this might be related to use of the JS UI instead of the built-in Z-Wave JS. What I did to fix was to add the device via the Z-Wave JS UI instead:

Open Z-Wave JS UI
Navigate to Control Panel
Click the blue button on the bottom right (the one with three dashes)
Click “Manage nodes” (green infinity button)
Inclusion → Next
Optionally assign Name/Location → Next
Select Default, Force Security → Next

Unfortunately, I didn’t save screenshots, but hopefully that gives enough hints. Please share if this works for others!

jeanrobertjs · January 29, 2025, 11:50pm

Like @StephaneBro, I came from Jeedom home automation software too and on my side I finally solve this issue by including the z-wave devices into Jeedom again. The module have been added in S0 Legacy mode (like in HA, S2 auth don’t work these modules) so I had the same issue but I can see through Z-Wave JS implementation in Jeedom some values are not reseted like the consumption when I made the factory reset into these modules. I don’t know if it is normal behavior🤔

So I reset this value and factory reset the module:

After that I was able to add the module in S2 Authenticated mode with the code in HA

So I don’t know if I was lucky but it works on 4 modules. I assume this could be work directly from HA with Z-Wave JS UI by including in S0 the module, reseting the values, excluding the module, factory reset the module then try the S2 Authenticated inclusion.

My 2 cents…

Msv1 · January 31, 2025, 6:09pm

This worked for me. Thank you!!

brenthaag · February 7, 2025, 4:10am

Has anyone else been able to get S2 inclusion to work. I just started with HA and this is driving me bonkers, as I’d like to move my Z-Wave devices over from SmartThings. I am thinking I’ll need to submit an issue as suggested above.

freshcoast · February 7, 2025, 4:17am

Half the nodes in my network (14/30) are included with S2. I never use HA for inclusion, only ZUI.

madbrain · February 17, 2025, 2:32am

Yes. I was experiencing the same problem . One ZSE11 included with S2 unauthenticated, and the other with S2 authenticated.

Here is how I fixed it :

scanned the QR code on the device using the HA app on my Android phone (requires SSL). Note that the “S2 authenticated” check-box is greyed out and cannot be selected.
on my PC, exported the SmartStart provisioning entries to a file
looked for the new ZSE11 entry in the file, and changed these fields to the following values for this device :

“securityClasses”: {
“s2AccessControl”: false,
“s2Authenticated”: true,
“s2Unauthenticated”: false,
“s0Legacy”: false
},

and :

"requestedSecurityClasses": {
  "s2AccessControl": true,
  "s2Authenticated": true,
  "s2Unauthenticated": true,
  "s0Legacy": true
},

imported the new provisioning list into HA
if already included, run exclusion and/or factory reset the ZSE11
edit the device name / location for the new SmartStart provisioning entry
turn on the provisioning entry
after a little bit, the device is now included as S2 authenticated . Pressing the Z-wave button inside may help

I think there is an issue with the SmartStart QR code . It’s either a problem with the QR code printed on the back of the device, or HA is not interpreting that QR code correctly. My guess is that it is the former. Google searches show that users of other hub have had issues with secure inclusion of the ZSE11 as well.

The other problem is that the manual inclusion for this ZSE11 unit always ends up with S2 unauthenticated also. So, there is also an additional problem on the wire during the handshake. The device should negotiate S2 authenticated, but somehow that never happens.

Both my ZSE11 have the latest 1.30 firmware. The release notes at ZSE11 Q Sensor Change Log - Zooz Support Center state this :

Fixed an issue with S2 Authenticated security inclusion

Clearly, that is not the case. Zooz needs to make one more firmware update to fix the handshake during inclusion.

Zooz also should provide correct SmartStart QR codes. It should be possible to scan the QR code, decode it, fix the S2 entries in it, and re-encode it. Then, it could be printed on a new label to cover the incorrect one.

I recently acquired a very useful Brother PT-P750W label printer. I have been using it for various things, to print labels for my kitchen foods in storage boxes, including the expiration dates. And also battery capacity for all my rechargeable AA & AAA batteries. Printing a new QR code would be right up its alley.

Creating and printing this new QR code label is a lot more work than the procedure I outlined above, so I will probably not end up bothering with it.

Of course, Zooz could also just exchange all the buggy devices for the newest version of the ZSE11 under warranty, presumably with working firmware and a correct label.

freshcoast · February 17, 2025, 3:09am

Generating a SmartStart QR code is actually pretty easy with the right tool:

https://zwave-js.github.io/qr/

The only reason to care about S2 Authenticated vs S2 Unauthenticated is if you are using Association groups. Otherwise, there’s no difference.

brenthaag · February 17, 2025, 3:32am

I finally got mine to add devices in S2 mode. It appears to be fixed in 2025.2.4 (I tried it on all recent previous versions). The server updated to a new version, but that didn’t seem to do the trick, either. But now it’s working well without any tricks.

madbrain · February 17, 2025, 4:54am

I had to perform the procedure described above today on HA 2025.2.4 with Z-wave JS UI 3.21.0 . One of my ZSE11 ust wouldn’t do S2 auth any other way I tried. The 2 units I have don’t behave the same, possibly due in part to bad QR codes.

madbrain · February 17, 2025, 4:59am

Good to know that it only affects associations. I have never used those yet, but I plan to. The ZSE11 I setup today is in a closet with a ZEN76 switch for the lights. Currently, it is setup with a motion light automation in HA. I may change to use an association.

I recently converted all my Z-wave devices to non-LR mode. About 6 distant ZEN76 800LR struggled and frequently went dead. I added 14 more last weekend in between. Now there are enough hops that no device has gone dead yet. Unfortunately, the LR is not point to point, and it turns out the older protocol is better for my house. And of course LR does not support associations.

EightBitWhit · June 11, 2025, 9:07pm

@madbrain - how did you perform steps #2 and #4? I’m not finding any provisions within HA to allow for that export/import process. I’m probably not looking in the right spot (I’m using Z-Wave JS) so would love the pointer in the proper direction here.

I have a whole host of ZEN15’s that will not, under any method I’ve tried to date - include (either manually or with SmartStart) with S2 enabled. They always include with no security and although the switches work fine operationally, it’s not how I want them to be on the network.

I’d appreciate any help here - thanks!

madbrain:

Here is how I fixed it :

scanned the QR code on the device using the HA app on my Android phone (requires SSL). Note that the “S2 authenticated” check-box is greyed out and cannot be selected.

on my PC, exported the SmartStart provisioning entries to a file

looked for the new ZSE11 entry in the file, and changed these fields to the following values for this device :“securityClasses”: {
“s2AccessControl”: false,
“s2Authenticated”: true,
“s2Unauthenticated”: false,
“s0Legacy”: false
},

and :
"requestedSecurityClasses": {
  "s2AccessControl": true,
  "s2Authenticated": true,
  "s2Unauthenticated": true,
  "s0Legacy": true
},
imported the new provisioning list into HA

if already included, run exclusion and/or factory reset the ZSE11

edit the device name / location for the new SmartStart provisioning entry

turn on the provisioning entry

after a little bit, the device is now included as S2 authenticated . Pressing the Z-wave button inside may help

cornellrwilliams · June 12, 2025, 1:21am

You need to be using Z-Wave JS UI to export your provisioning list to a file.

Inside of Z-Wave JS UI you click the qr code on the left to navigate to the smart start page / provisioning list.
Then you click the blue menu icon in the bottom right.
From here you should see options to import and export the provisioning list