Antminer S19 – High Rejected Share Rate

Reboot the home router, wait 60 seconds, then reboot the miner — order matters. The full minute lets the router fully flush NAT state and renegotiate ISP DHCP; the miner then re-establishes a clean stratum TCP session. This single action resolves roughly a third of `sudden reject spike with no config change` tickets D-Central sees. Always try this before any more invasive diagnostics.

Verify the pool URL, port, and worker credentials letter-for-letter. Use the pool dashboard's copy-to-clipboard widget for the stratum URL and worker name — do not retype. Trailing spaces, smart quotes from iOS paste buffers, and `0` vs `O` typos account for a surprising share of mystery rejects flagged pool-side as `unauthorized worker`. Save, reboot, re-observe.

Check the miner's system clock on the dashboard. If it reads `1970-01-01` or drifts more than a couple of minutes from real time, configure NTP in the Network settings tab. A dead clock breaks TLS-wrapped stratum endpoints outright and poisons Noise-handshake freshness on Stratum V2. Schedule an RTC-battery swap as a Tier 2 task if the drift persists through reboot.

Switch to a regional pool endpoint. Most pools publish geo-routed stratum hosts (`us-east`, `eu-west`, `asia-sg`). Canadian miners should target US-East or EU-West mirrors, not Asia-Pacific. Save the config, reboot the miner, watch reject rate over the next 15 minutes. Regional routing clears `stale share` dominance 90% of the time.

Configure 2-3 failover pools in the Miner Configuration page. Pool 1 = primary, Pool 2 = a different pool entirely on a different network path, Pool 3 = solo CKPool as last resort. Doesn't reduce reject rate directly but keeps the miner hashing during pool-side incidents and gives you an A/B datapoint when one pool rejects while another accepts.

Run `mtr -r -c 100 <pool-stratum-host>` from a laptop on the miner's LAN and save the report. Healthy: round-trip under 80 ms with 0% loss. Borderline: 80-150 ms with <0.5% loss. Failing: >150 ms or >1% loss on any hop. Screenshot the output — you'll need it to escalate to the pool or your ISP. Repeat via SSH from the miner itself (`ssh root@<miner-ip>`) to isolate LAN vs miner-side issues.

Replace the `CR2032` RTC battery on the control board. Power off at the breaker, open the chassis, locate the coin cell near the SoC (look for `RTC` silkscreen). Use plastic tweezers — metal across the cell holder can short the control board. A fresh CR2032 plus NTP is the durable fix for `clock drifts every reboot` and eliminates an entire class of TLS / Noise-handshake failures.

Point the router-level DNS to `1.1.1.1` and `8.8.8.8`. ISP DNS frequently fails to resolve stratum hostnames reliably, especially after ISP-side DNS rotations or outages. Set at the router to cover every device on the LAN; verify with `nslookup <pool-host>` from the miner via SSH. 30 seconds of work, an entire failure surface eliminated.

Temporarily disable router `Gaming Mode`, `AiProtection`, `SPI firewall`, or any DPI-style feature. Consumer routers with aggressive security modes silently drop traffic to unusual ports. If reject rate falls to baseline with these disabled, re-enable and add explicit allow rules for the miner's MAC / IP on outbound TCP to the pool's host-port pair. Never run long-term with security disabled.

Put the miner on direct wired Ethernet — miner → managed switch → router. No Wi-Fi extenders, no powerline adapters, no consumer mesh. Wi-Fi and powerline introduce latency, jitter, and packet loss that kill stale-share rate on an S19. If you must extend, use a managed switch with uplink Ethernet cable, not a $30 Wi-Fi bridge. This is non-negotiable for a production S19.

Flash DCENT_OS (D-Central's own open-source Antminer firmware — the Mining Hackers' preferred option: per-share logging, proper vardiff tracking, clean ASICBoost negotiation, stratum v1/v2 diagnostics, no licensing fees). Alternatives: Braiins OS+, LuxOS, Vnish. Before flashing, back up your existing firmware to SD card and confirm your hardware revision — wrong firmware for a late-rev board bricks the control board. After flash, re-point at the pool and observe the reject-category breakdown in the firmware's log UI. You will see exactly which share class is failing.

Inspect `mining.configure` / `version-rolling` negotiation. On DCENT_OS / Braiins OS+ the Pool detail page shows the negotiated ASICBoost mask (`0x1fffe000` is standard for Braiins Pool). On Bitmain stock: SSH in and grep `kern.log` for `version-rolling` or `ASICBoost`. If the miner is rolling versions the pool didn't authorize, disable version-rolling entirely or switch to a pool with documented overt ASICBoost. AB-mismatch rejects disappear immediately once negotiation is clean.

Deploy a local stratum proxy (SRI translator for V2, or a V1 stratum proxy) on a Raspberry Pi 4. Point the miner at the proxy, point the proxy upstream at the pool. Proxy logs are vastly more verbose than miner logs — you see every `mining.submit`, every pool response, every `mining.set_difficulty` in real time. For fleets of 5+ miners the proxy also reduces TCP overhead and improves effective latency by pooling connections.

Measure PSU rail voltage at the board connector under full load with a multimeter on DC (≥13.8 V sustained on standard S19). Verify inlet-air temp at the grille (≤35 °C standard, ≤40 °C Hydro). Power sag and thermal throttling can skew chip behaviour enough to drift nonces into the `miner-accepts, pool-rejects` zone. Reject-rate math gets clean only when electrical and thermal baselines are in spec.

Test the pool's TLS-wrapped stratum endpoint if published (e.g., `stratum+ssl://<host>:<tls-port>` or `stratum2+tls://`). Some ISPs DPI plain-text stratum traffic and cause subtle packet drops. TLS-wrapped stratum looks like HTTPS on-wire and bypasses most DPI. If plain stratum rejects but TLS stratum is clean, you've diagnosed an ISP-layer issue and the long-term fix is TLS stratum fleet-wide.

Stop DIY when: (a) DCENT_OS / Braiins OS+ on one miner shows clean per-share logging but reject rate remains elevated only on that unit; (b) reject rate persists after firmware + network fixes with HW% also elevated (correlated silicon + stratum issue); (c) clock drift returns within hours of replacing CR2032 (RTC circuit failure); (d) rejections correlate with SoC panics / eMMC I/O errors in kern.log. Book a D-Central ASIC Repair slot at d-central.tech/services/asic-repair.

D-Central bench process for reject-rate escalations: packet-capture the miner's stratum session against a known-good pool in a controlled lab network; inspect `mining.submit` timing and `mining.set_difficulty` handling; 24-hour control-board RAM and eMMC burn-in; verify CR2032 + clock drift under temperature cycling; re-flash to a clean DCENT_OS image as baseline. For S9 / early S17 hardware where the SoC is memory-constrained, the recommendation often shifts to Space Heater conversion rather than forcing modern stratum on ancient silicon.

Ship safely. Control-board-only diagnostic: anti-static bag plus padded envelope. Full-miner diagnostic: double-box with ≥5 cm foam, include hashboards for under-load validation. Ticket must include: pool name, per-category reject breakdown, firmware version before failure, approximate date rejects started climbing, and any recent network / firmware / pool changes. Context reduces bench time and your invoice proportionally.